Bug 599056 (CVE-2010-0830)
Summary: | CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | drepper, fweimer, jakub, law, rcvalle |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-13 20:53:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 716899, 767685, 767687, 769360 | ||
Bug Blocks: | 767564 |
Description
Jan Lieskovsky
2010-06-02 15:30:05 UTC
As noted in Dan's blog post, this issue is only relevant in very rare cases where linker is run directly with --verify on the crafted ELF file. In normal use, loader load ELF file and executes code in it, which naturally leads to arbitrary code execution even without this flaw. ldd also calls loader with --verify, but there are other known ways ldd can unexpectedly execute the code from the ELF file: http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ http://reverse.lostrealm.com/protect/ldd.html This bug is corrected in RHEL-6 glibc packages, which include the upstream patch linked above. Acknowledgements: Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Dan Rosenberg as the original reporter. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0126 https://rhn.redhat.com/errata/RHSA-2012-0126.html This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html Statement: (none) |