Red Hat Bugzilla – Bug 23741
glibc-2.2-8 vulnerable to remote root exploit
Last modified: 2016-11-24 10:27:03 EST
Tested on Beta1. Details follow from bugtraq post:
From: Charles Stevenson <csteven@NEWHOPE.TERRAPLEX.COM>
Subject: Glibc Local Root Exploit
This has been bouncing around on vuln-dev and the debian-devel lists. It
effects glibc >= 2.1.9x and it would seem many if not all OSes using these
versions of glibc. Ben Collins writes, "This wasn't supposed to happen, and
the actual fix was a missing comma in the list of secure env vars that were
supposed to be cleared when a program starts up suid/sgid (including
RESOLV_HOST_CONF)." The exploit varies from system to system but in our
devel version of Yellow Dog Linux I was able to print the /etc/shadow file
as a normal user in the following manner:
Other programs have the same effect depending on the defaults for the
system. I have tested this on Red Hat 7.0, Yellow Dog Linux 2.0
(prerelease), and Debian Woody. Others have reported similar results on
slackware and even "home brew[ed]" GNU/Linux.
It is not remote root exploit, I'm not sure it is even local root exploit
if md5 passwords are used, it just means you can read any file on the filesystem
you want (and some other bug means you can overwrite any file you want
with garbage you don't control).
The fixed rpms are ready, QA will be testing them today, hopefully they will
go out today.
This defect is considered MUST-FIX for Florence Gold release
Fixed in glibc-2.2-12.