Bug 643951
| Summary: | CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomas Hoger <thoger> |
| Component: | glibc | Assignee: | Andreas Schwab <schwab> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 12 | CC: | awilliam, dcantrell, fweimer, jakub, kent, notting, ondrejj, sandro, schwab |
| Target Milestone: | --- | Keywords: | Reopened, Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | AcceptedNTH | ||
| Fixed In Version: | glibc-2.11.2-3 | Doc Type: | Release Note |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-10-30 23:47:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 643306 | ||
|
Description
Tomas Hoger
2010-10-18 15:51:38 UTC
Discussed at the 2010-10-18 Fedora 14 blocker review meeting. We definitely accept this as a nice-to-have bug (meaning we'll accept a fix for this through the release freeze) and reserve the right to accept it as a release blocker. Security team, could you please give us a summary for non-experts of the impact of this bug so we can decide whether it's a blocker or not? Your recommendation as to whether to make it a blocker would also be appreciated. Thanks. Note that to make the final release on schedule, we need a fix for this to be submitted to Koji and Bodhi today. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers This bug allows local users to escalate their privileges. It's most relevant for multi-user systems (where users are not expected to have root access), but this kind of flaws can also be used as the next stage of the attack, after some network facing service running as non-privileged user was compromised (think of compromised web application as an example). I agree with NTH rather than blocker, it can be fixed via post-GA update. If the update is available on GA date, there's little difference for users that regularly update their systems. glibc-2.12.90-17 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/glibc-2.12.90-17 Why there is still no update for F13/F12, even if this bug was reported for Fedora 13? Because there is an functional exploit for this bug and there is no simple workaround, update is required for all users. Please, can you compile packages for current stable releases? Thank you. This is such an easily exploited vulnerability giving root privileges to unpriviliged users (a dozen lines of shell script works 100% of the time), that I fear there would be severe public relations problems if Fedora were to publish a release with this security hole present. Please don't. (In reply to comment #5) > Because there is an functional exploit for this bug and there is no simple > workaround, update is required for all users. As a workaround, you can ensure that you do not have setuid/setgid binaries and (untrusted) user writeable directories on one filesystem. Tavis' advisory provides details on how to use bind mounts to separate user-writeable directories. "that I fear there would be severe public relations problems if Fedora were to publish a release with this security hole present. Please don't." I disagree. Privesc vulns aren't particularly uncommon and tend to show up regularly; we've probably shipped every release of Fedora ever with some kind of privesc vuln which was subsequently fixed in an update (I haven't checked this, but it wouldn't surprise me). the fix can be pulled into RC1 if it gets sufficient karma in time, though, so please install it, reboot, run prelink, reboot, check the system still works, and +1 the update. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers glibc-2.12.90-17 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. Reopening bug, still problem for currently supported stable Fedora 12. Please make an update. Thank you. Why wasn't this filed against F12 in the first place? (In reply to comment #12) > Why wasn't this filed against F12 in the first place? I don't know. Do you need another bug for f12? I can clone it. glibc-2.11.2-2 has been submitted as an update for Fedora 12. https://admin.fedoraproject.org/updates/glibc-2.11.2-2 re-assigning to F12, removing from F14 blocker list. glibc-2.11.2-3 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update glibc'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/glibc-2.11.2-3 glibc-2.11.2-3 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |