Bug 667974 (CVE-2011-0536)
Summary: | CVE-2011-0536 glibc: CVE-2010-3847 fix causes linker to search CWD when running privileged program with $ORIGIN in R*PATH | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | antonio, fweimer, jakub, mnewsome, nixon, rcvalle, security-response-team, stephan.wiesand |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-04-11 14:12:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 649256, 660217, 670988, 682991, 688214, 688215, 688217, 688219 | ||
Bug Blocks: |
Description
Tomas Hoger
2011-01-07 14:51:17 UTC
(In reply to comment #0) > To address this issue, 4b646a51 was reverted and the following patch was > applied in fedora glibc git branch: > http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699 This fix has not been applied to glibc master branch yet as discussed in the following libc-hacker mailing list thread: http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html It seems the change was rejected because it removes useful and desired behaviour of having $ORIGIN supported privileged programs' R*PATHs. The discussion does not seem to mention risks of the feature though. Andreas, have there been any other off-list discussions of this change? Public now via Debian advisory DSA 2122-2: http://lists.debian.org/debian-security-announce/2011/msg00005.html and Ubuntu advisory USN-1009-2: https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/001226.html using patches listed in comment #0. (In reply to comment #0) > To address this issue, 4b646a51 was reverted and the following patch was > applied in fedora glibc git branch: > http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699 F13 glibc-2.12.2-1 ld.so with this patch applied still searches CWD. If you can create a suid-root program all bets are off. (In reply to comment #8) > If you can create a suid-root program all bets are off. There are two cases here: - problem with gconv that was introduced as part of CVE-2010-3847 fix. This may lead to privilege escalation if some suid program uses gconv and it's the issue we need to address (e.g. by reverting "Never expand $ORIGIN in privileged programs" and adding "Don't expand DST twice in dl_open") - second, there are issues that can lead to privilege escalation when you have suid with odd RPATH. While such suids are not common, users can unintentionally introduce them in their systems and create and exposure that ld.so can (should?) mitigate. It's probably worth discussing if linked should provide safety net for such cases, or these can be ignored as way too uncommon to be worth changing current status quo. Hence I've created upstream bug that can be used to discuss if current behaviour is appropriate or not: http://sourceware.org/bugzilla/show_bug.cgi?id=12393 Raising impact rating to important. Additional exploitation vectors have been demonstrated, which affect common configurations. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0412 https://rhn.redhat.com/errata/RHSA-2011-0412.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0413 https://rhn.redhat.com/errata/RHSA-2011-0413.html (In reply to comment #12) > Raising impact rating to important. Additional exploitation vectors have been > demonstrated, which affect common configurations. Will these vectors be disclosed at some point? When? (In reply to comment #15) > Will these vectors be disclosed at some point? When? Reporter indicated an intention to make exploit public after waiting some time to give users and downstream distros an opportunity to pick up the fix. |