Incorrect handling of RPATH (or RUNPATH) in elf/dl-load.c could be used to run executables with libraries loaded from the current directory. Executables with AT_SECURE or SETUID that contain '$ORIGIN' in RPATH/RUNPATH could be used to run arbitrary code and lead to escalation of privileges. This vulnerability was introduced in glibc version 2.19. References: https://sourceware.org/bugzilla/show_bug.cgi?id=22625 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884615 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1526866]
Fedora version of glibc carries the following patch and therefore is not-vulnerable: glibc-fedora-elf-ORIGIN.patch: From 207e77fd3f0a94acdf0557608dd4f10ce0e0f22f Mon Sep 17 00:00:00 2001 From: Andreas Schwab <schwab> Date: Mon, 9 May 2011 10:55:58 +0200 Subject: [PATCH] Never leave $ORIGIN unexpanded
This issue is addressed by the following upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1998843fb78d9b3ebc0216757042ce4b00dd08a1
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3092 https://access.redhat.com/errata/RHSA-2018:3092