Tested on Beta1. Details follow from bugtraq post: From: Charles Stevenson <csteven.COM> To: BUGTRAQ Subject: Glibc Local Root Exploit Hi all, This has been bouncing around on vuln-dev and the debian-devel lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes using these versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and the actual fix was a missing comma in the list of secure env vars that were supposed to be cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system to system but in our devel version of Yellow Dog Linux I was able to print the /etc/shadow file as a normal user in the following manner: export RESOLV_HOST_CONF=/etc/shadow ssh whatever.host.com Other programs have the same effect depending on the defaults for the system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0 (prerelease), and Debian Woody. Others have reported similar results on slackware and even "home brew[ed]" GNU/Linux.
It is not remote root exploit, I'm not sure it is even local root exploit if md5 passwords are used, it just means you can read any file on the filesystem you want (and some other bug means you can overwrite any file you want with garbage you don't control). The fixed rpms are ready, QA will be testing them today, hopefully they will go out today.
This defect is considered MUST-FIX for Florence Gold release
Fixed in glibc-2.2-12.