Bug 1299754 - glibc: Bypass the pointer guarding protection on set-user-ID and set-group-ID executables (PTR_MANGLE)
Summary: glibc: Bypass the pointer guarding protection on set-user-ID and set-group-ID...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1276761 1299755
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-19 08:47 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-17 04:30 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-19 08:54:55 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Sourceware 18928 0 None None None 2016-02-08 10:27:33 UTC

Description Huzaifa S. Sidhpurwala 2016-01-19 08:47:07 UTC
A weakness was found in the dynamic loader in glibc prior to 2.22.90. LD_POINTER_GUARD in the enivronment was not sanitized, allowing local attackers to bypass the pointer guarding protection on set-user-ID and set-group-ID executables.

This is a different security flaw then CVE-2013-4788, and only executables which dynamically link against glibc are affected.

This issue has been fixed upstream via the following commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7

External References:

http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html

Comment 1 Huzaifa S. Sidhpurwala 2016-01-19 08:47:51 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1299755]

Comment 2 Huzaifa S. Sidhpurwala 2016-01-19 08:51:50 UTC
CVE request:
http://www.openwall.com/lists/oss-security/2015/09/05/8

No CVE has been assigned by MITRE yet.

Comment 4 Florian Weimer 2016-02-08 10:30:31 UTC
This bug appears to be a duplicate of bug 1260581.


Note You need to log in before you can comment on or make changes to this bug.