Bug 1526865 (CVE-2017-16997) - CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries
Summary: CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be use...
Alias: CVE-2017-16997
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20171217,repor...
Keywords: Reopened, Security
Depends On: 1526866 1540465 1540480
Blocks: 1526867
TreeView+ depends on / blocked
Reported: 2017-12-18 04:03 UTC by Sam Fowler
Modified: 2019-06-08 22:34 UTC (History)
15 users (show)

Clone Of:
Last Closed: 2019-06-08 03:34:35 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3092 None None None 2018-10-30 07:36 UTC

Description Sam Fowler 2017-12-18 04:03:13 UTC
Incorrect handling of RPATH (or RUNPATH) in elf/dl-load.c could be used to run executables with libraries loaded from the current directory. Executables with AT_SECURE or SETUID that contain '$ORIGIN' in RPATH/RUNPATH could be used to run arbitrary code and lead to escalation of privileges.

This vulnerability was introduced in glibc version 2.19.


Comment 1 Sam Fowler 2017-12-18 04:04:01 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1526866]

Comment 3 Huzaifa S. Sidhpurwala 2017-12-18 09:58:22 UTC
Fedora version of glibc carries the following patch and therefore is not-vulnerable:


From 207e77fd3f0a94acdf0557608dd4f10ce0e0f22f Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@redhat.com>
Date: Mon, 9 May 2011 10:55:58 +0200
Subject: [PATCH] Never leave $ORIGIN unexpanded

Comment 8 Huzaifa S. Sidhpurwala 2018-01-31 05:59:47 UTC
This issue is addressed by the following upstream commit:


Comment 11 errata-xmlrpc 2018-10-30 07:36:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3092 https://access.redhat.com/errata/RHSA-2018:3092

Note You need to log in before you can comment on or make changes to this bug.