Bug 599056 (CVE-2010-0830) - CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info
Summary: CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0830
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 716899 767685 767687 769360
Blocks: 767564
TreeView+ depends on / blocked
 
Reported: 2010-06-02 15:30 UTC by Jan Lieskovsky
Modified: 2023-05-12 22:04 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-13 20:53:49 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0125 0 normal SHIPPED_LIVE Moderate: glibc security and bug fix update 2012-02-14 01:33:53 UTC
Red Hat Product Errata RHSA-2012:0126 0 normal SHIPPED_LIVE Moderate: glibc security update 2012-02-14 01:33:37 UTC

Description Jan Lieskovsky 2010-06-02 15:30:05 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0830 to
the following vulnerability:

Integer signedness error in the elf_get_dynamic_info function in
elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
2.0.1 through 2.11.1, when the --verify option is used, allows
user-assisted remote attackers to execute arbitrary code via a crafted
ELF program with a negative value for a certain d_tag structure member
in the ELF header.

References:
  [1] http://drosenbe.blogspot.com/2010/05/integer-overflow-in-ldso-cve-2010-0830.html
  [2] http://frugalware.org/security/662
  [3] http://sourceware.org/git/?p=glibc.git;a=commit;h=db07e962b6ea963dbb345439f6ab9b0cf74d87c5
  [4] http://www.ubuntu.com/usn/USN-944-1
  [5] http://www.securityfocus.com/bid/40063
  [6] http://securitytracker.com/id?1024044
  [7] http://secunia.com/advisories/39900
  [8] http://www.vupen.com/english/advisories/2010/1246
  [9] http://xforce.iss.net/xforce/xfdb/58915

Comment 2 Tomas Hoger 2011-02-02 17:34:42 UTC
As noted in Dan's blog post, this issue is only relevant in very rare cases where linker is run directly with --verify on the crafted ELF file.  In normal use, loader load ELF file and executes code in it, which naturally leads to arbitrary code execution even without this flaw.  ldd also calls loader with --verify, but there are other known ways ldd can unexpectedly execute the code from the ELF file:

http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
http://reverse.lostrealm.com/protect/ldd.html

This bug is corrected in RHEL-6 glibc packages, which include the upstream patch linked above.

Comment 7 Murray McAllister 2012-01-05 10:52:24 UTC
Acknowledgements:

Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Dan Rosenberg as the original reporter.

Comment 8 errata-xmlrpc 2012-02-13 20:35:02 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0126 https://rhn.redhat.com/errata/RHSA-2012-0126.html

Comment 9 errata-xmlrpc 2012-02-13 20:35:33 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html

Comment 10 Vincent Danen 2012-02-13 20:53:49 UTC
Statement:

(none)


Note You need to log in before you can comment on or make changes to this bug.