Bug 2238352 (CVE-2023-4911) - CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation
Summary: CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation
Keywords:
Status: NEW
Alias: CVE-2023-4911
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2238674 2241966
Blocks: 2237321
TreeView+ depends on / blocked
 
Reported: 2023-09-11 15:23 UTC by Zack Miele
Modified: 2024-04-12 16:39 UTC (History)
56 users (show)

Fixed In Version: glibc 2.39
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5495 0 None None None 2023-10-09 01:01:26 UTC
Red Hat Product Errata RHBA-2023:5496 0 None None None 2023-10-09 01:03:12 UTC
Red Hat Product Errata RHBA-2023:5497 0 None None None 2023-10-09 01:11:14 UTC
Red Hat Product Errata RHBA-2023:5498 0 None None None 2023-10-09 01:05:34 UTC
Red Hat Product Errata RHBA-2023:5499 0 None None None 2023-10-09 01:07:26 UTC
Red Hat Product Errata RHBA-2023:5500 0 None None None 2023-10-09 01:09:38 UTC
Red Hat Product Errata RHBA-2023:5501 0 None None None 2023-10-09 01:14:56 UTC
Red Hat Product Errata RHBA-2023:5502 0 None None None 2023-10-09 01:20:41 UTC
Red Hat Product Errata RHBA-2023:5503 0 None None None 2023-10-09 01:11:25 UTC
Red Hat Product Errata RHBA-2023:5504 0 None None None 2023-10-09 01:12:10 UTC
Red Hat Product Errata RHBA-2023:5505 0 None None None 2023-10-09 01:12:29 UTC
Red Hat Product Errata RHBA-2023:5512 0 None None None 2023-10-09 01:19:03 UTC
Red Hat Product Errata RHBA-2023:5513 0 None None None 2023-10-09 01:27:59 UTC
Red Hat Product Errata RHBA-2023:5514 0 None None None 2023-10-09 01:25:57 UTC
Red Hat Product Errata RHBA-2023:5515 0 None None None 2023-10-09 01:29:35 UTC
Red Hat Product Errata RHBA-2023:5516 0 None None None 2023-10-09 01:32:01 UTC
Red Hat Product Errata RHBA-2023:5518 0 None None None 2023-10-09 09:43:34 UTC
Red Hat Product Errata RHBA-2023:5519 0 None None None 2023-10-09 09:43:23 UTC
Red Hat Product Errata RHBA-2023:5521 0 None None None 2023-10-09 10:03:49 UTC
Red Hat Product Errata RHBA-2023:5522 0 None None None 2023-10-09 09:53:57 UTC
Red Hat Product Errata RHBA-2023:5523 0 None None None 2023-10-09 09:44:55 UTC
Red Hat Product Errata RHBA-2023:5543 0 None None None 2023-10-09 15:55:15 UTC
Red Hat Product Errata RHBA-2023:5550 0 None None None 2023-10-10 09:47:58 UTC
Red Hat Product Errata RHBA-2023:5551 0 None None None 2023-10-10 09:53:43 UTC
Red Hat Product Errata RHBA-2023:5552 0 None None None 2023-10-10 09:54:05 UTC
Red Hat Product Errata RHBA-2023:5553 0 None None None 2023-10-10 10:08:37 UTC
Red Hat Product Errata RHBA-2023:5554 0 None None None 2023-10-10 09:54:11 UTC
Red Hat Product Errata RHBA-2023:5555 0 None None None 2023-10-10 09:54:16 UTC
Red Hat Product Errata RHBA-2023:5556 0 None None None 2023-10-10 09:53:59 UTC
Red Hat Product Errata RHBA-2023:5557 0 None None None 2023-10-10 09:49:12 UTC
Red Hat Product Errata RHBA-2023:5558 0 None None None 2023-10-10 10:15:11 UTC
Red Hat Product Errata RHBA-2023:5559 0 None None None 2023-10-10 09:57:03 UTC
Red Hat Product Errata RHBA-2023:5560 0 None None None 2023-10-10 09:59:06 UTC
Red Hat Product Errata RHBA-2023:5561 0 None None None 2023-10-10 10:00:33 UTC
Red Hat Product Errata RHBA-2023:5567 0 None None None 2023-10-10 10:08:07 UTC
Red Hat Product Errata RHBA-2023:5569 0 None None None 2023-10-10 10:08:12 UTC
Red Hat Product Errata RHBA-2023:5573 0 None None None 2023-10-10 10:04:55 UTC
Red Hat Product Errata RHBA-2023:5577 0 None None None 2023-10-10 10:08:54 UTC
Red Hat Product Errata RHBA-2023:5581 0 None None None 2023-10-10 10:29:22 UTC
Red Hat Product Errata RHBA-2023:5582 0 None None None 2023-10-10 13:42:27 UTC
Red Hat Product Errata RHBA-2023:5584 0 None None None 2023-10-10 13:42:51 UTC
Red Hat Product Errata RHBA-2023:5585 0 None None None 2023-10-10 13:49:58 UTC
Red Hat Product Errata RHBA-2023:5649 0 None None None 2023-10-10 20:16:59 UTC
Red Hat Product Errata RHBA-2023:5650 0 None None None 2023-10-10 20:20:38 UTC
Red Hat Product Errata RHBA-2023:5651 0 None None None 2023-10-10 20:20:55 UTC
Red Hat Product Errata RHBA-2023:5658 0 None None None 2023-10-11 07:43:01 UTC
Red Hat Product Errata RHBA-2023:5659 0 None None None 2023-10-11 08:24:48 UTC
Red Hat Product Errata RHBA-2023:5663 0 None None None 2023-10-11 13:31:00 UTC
Red Hat Product Errata RHBA-2023:5664 0 None None None 2023-10-11 13:44:08 UTC
Red Hat Product Errata RHBA-2023:5665 0 None None None 2023-10-11 13:42:58 UTC
Red Hat Product Errata RHBA-2023:5670 0 None None None 2023-10-12 01:30:36 UTC
Red Hat Product Errata RHBA-2023:5685 0 None None None 2023-10-12 13:21:12 UTC
Red Hat Product Errata RHBA-2023:5702 0 None None None 2023-10-16 01:21:37 UTC
Red Hat Product Errata RHBA-2023:5703 0 None None None 2023-10-16 07:18:24 UTC
Red Hat Product Errata RHBA-2023:5722 0 None None None 2023-10-16 12:20:08 UTC
Red Hat Product Errata RHBA-2023:5723 0 None None None 2023-10-16 12:31:06 UTC
Red Hat Product Errata RHBA-2023:5748 0 None None None 2023-10-16 15:13:43 UTC
Red Hat Product Errata RHBA-2023:5755 0 None None None 2023-10-16 15:10:39 UTC
Red Hat Product Errata RHBA-2023:5757 0 None None None 2023-10-16 15:34:35 UTC
Red Hat Product Errata RHBA-2023:5760 0 None None None 2023-10-17 07:42:50 UTC
Red Hat Product Errata RHBA-2023:5798 0 None None None 2023-10-17 16:08:54 UTC
Red Hat Product Errata RHBA-2023:5910 0 None None None 2023-10-19 09:04:28 UTC
Red Hat Product Errata RHBA-2023:6043 0 None None None 2023-10-23 18:48:09 UTC
Red Hat Product Errata RHBA-2023:6184 0 None None None 2023-10-30 14:09:35 UTC
Red Hat Product Errata RHSA-2023:5453 0 None None None 2023-10-05 13:54:34 UTC
Red Hat Product Errata RHSA-2023:5454 0 None None None 2023-10-05 13:05:47 UTC
Red Hat Product Errata RHSA-2023:5455 0 None None None 2023-10-05 14:01:24 UTC
Red Hat Product Errata RHSA-2023:5476 0 None None None 2023-10-05 15:32:34 UTC
Red Hat Product Errata RHSA-2024:0033 0 None None None 2024-01-03 14:07:49 UTC

Description Zack Miele 2023-09-11 15:23:29 UTC 
Researchers discovered a vulnerability in the GNU C Library's dynamic loader (ld.so). This vulnerability was introduced in April 2021 (glibc 2.34) by the following commit: https://sourceware.org/git?p=glibc.git;a=commit;h=2ed18c5b534d9e92fc006202a5af0df6b72e7aca

Per researchers this vulnerability is exploitable by any local user and can lead to privilege escalation when combined with almost any SUID-root binaries.
Comment 13 Zack Miele 2023-10-03 17:09:58 UTC 
Upstream commit is https://sourceware.org/git/?p=glibc.git;a=commit;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa
Comment 14 Zack Miele 2023-10-03 17:12:25 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 2241966]
Comment 17 errata-xmlrpc 2023-10-05 13:05:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5454 https://access.redhat.com/errata/RHSA-2023:5454
Comment 18 errata-xmlrpc 2023-10-05 13:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5453 https://access.redhat.com/errata/RHSA-2023:5453
Comment 19 errata-xmlrpc 2023-10-05 14:01:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5455 https://access.redhat.com/errata/RHSA-2023:5455
Comment 20 errata-xmlrpc 2023-10-05 15:32:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5476 https://access.redhat.com/errata/RHSA-2023:5476
Comment 21 Marco Fortina 2023-10-06 15:27:09 UTC 
To the CentOS community: please apply https://sourceware.org/git/?p=glibc.git;a=patch;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa to CentOS Stream 8/9

Thanks
Comment 24 errata-xmlrpc 2024-01-03 14:07:44 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2024:0033 https://access.redhat.com/errata/RHSA-2024:0033
Note You need to log in before you can comment on or make changes to this bug.