Bug 599056 (CVE-2010-0830)

Summary: CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: drepper, fweimer, jakub, law, rcvalle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-13 20:53:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 716899, 767685, 767687, 769360    
Bug Blocks: 767564    

Description Jan Lieskovsky 2010-06-02 15:30:05 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0830 to
the following vulnerability:

Integer signedness error in the elf_get_dynamic_info function in
elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
2.0.1 through 2.11.1, when the --verify option is used, allows
user-assisted remote attackers to execute arbitrary code via a crafted
ELF program with a negative value for a certain d_tag structure member
in the ELF header.

References:
  [1] http://drosenbe.blogspot.com/2010/05/integer-overflow-in-ldso-cve-2010-0830.html
  [2] http://frugalware.org/security/662
  [3] http://sourceware.org/git/?p=glibc.git;a=commit;h=db07e962b6ea963dbb345439f6ab9b0cf74d87c5
  [4] http://www.ubuntu.com/usn/USN-944-1
  [5] http://www.securityfocus.com/bid/40063
  [6] http://securitytracker.com/id?1024044
  [7] http://secunia.com/advisories/39900
  [8] http://www.vupen.com/english/advisories/2010/1246
  [9] http://xforce.iss.net/xforce/xfdb/58915
Comment 2 Tomas Hoger 2011-02-02 17:34:42 UTC 
As noted in Dan's blog post, this issue is only relevant in very rare cases where linker is run directly with --verify on the crafted ELF file.  In normal use, loader load ELF file and executes code in it, which naturally leads to arbitrary code execution even without this flaw.  ldd also calls loader with --verify, but there are other known ways ldd can unexpectedly execute the code from the ELF file:

http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
http://reverse.lostrealm.com/protect/ldd.html

This bug is corrected in RHEL-6 glibc packages, which include the upstream patch linked above.
Comment 7 Murray McAllister 2012-01-05 10:52:24 UTC 
Acknowledgements:

Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Dan Rosenberg as the original reporter.
Comment 8 errata-xmlrpc 2012-02-13 20:35:02 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0126 https://rhn.redhat.com/errata/RHSA-2012-0126.html
Comment 9 errata-xmlrpc 2012-02-13 20:35:33 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html
Comment 10 Vincent Danen 2012-02-13 20:53:49 UTC 
Statement:

(none)