Bug 1526865 (CVE-2017-16997) - CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries
Summary: CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be use...
Status: CLOSED ERRATA
Alias: CVE-2017-16997
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171217,repor...
Keywords: Reopened, Security
Depends On: 1526866 1540465 1540480
Blocks: 1526867
TreeView+ depends on / blocked
 
Reported: 2017-12-18 04:03 UTC by Sam Fowler
Modified: 2019-06-08 22:34 UTC (History)
15 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-08 03:34:35 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3092 None None None 2018-10-30 07:36 UTC

Description Sam Fowler 2017-12-18 04:03:13 UTC
Incorrect handling of RPATH (or RUNPATH) in elf/dl-load.c could be used to run executables with libraries loaded from the current directory. Executables with AT_SECURE or SETUID that contain '$ORIGIN' in RPATH/RUNPATH could be used to run arbitrary code and lead to escalation of privileges.

This vulnerability was introduced in glibc version 2.19.

References:
https://sourceware.org/bugzilla/show_bug.cgi?id=22625
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884615
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997

Comment 1 Sam Fowler 2017-12-18 04:04:01 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1526866]

Comment 3 Huzaifa S. Sidhpurwala 2017-12-18 09:58:22 UTC
Fedora version of glibc carries the following patch and therefore is not-vulnerable:

glibc-fedora-elf-ORIGIN.patch:

From 207e77fd3f0a94acdf0557608dd4f10ce0e0f22f Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@redhat.com>
Date: Mon, 9 May 2011 10:55:58 +0200
Subject: [PATCH] Never leave $ORIGIN unexpanded

Comment 8 Huzaifa S. Sidhpurwala 2018-01-31 05:59:47 UTC
This issue is addressed by the following upstream commit:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1998843fb78d9b3ebc0216757042ce4b00dd08a1

Comment 11 errata-xmlrpc 2018-10-30 07:36:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3092 https://access.redhat.com/errata/RHSA-2018:3092


Note You need to log in before you can comment on or make changes to this bug.