Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0830 to the following vulnerability: Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header. References: [1] http://drosenbe.blogspot.com/2010/05/integer-overflow-in-ldso-cve-2010-0830.html [2] http://frugalware.org/security/662 [3] http://sourceware.org/git/?p=glibc.git;a=commit;h=db07e962b6ea963dbb345439f6ab9b0cf74d87c5 [4] http://www.ubuntu.com/usn/USN-944-1 [5] http://www.securityfocus.com/bid/40063 [6] http://securitytracker.com/id?1024044 [7] http://secunia.com/advisories/39900 [8] http://www.vupen.com/english/advisories/2010/1246 [9] http://xforce.iss.net/xforce/xfdb/58915
As noted in Dan's blog post, this issue is only relevant in very rare cases where linker is run directly with --verify on the crafted ELF file. In normal use, loader load ELF file and executes code in it, which naturally leads to arbitrary code execution even without this flaw. ldd also calls loader with --verify, but there are other known ways ldd can unexpectedly execute the code from the ELF file: http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ http://reverse.lostrealm.com/protect/ldd.html This bug is corrected in RHEL-6 glibc packages, which include the upstream patch linked above.
Acknowledgements: Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Dan Rosenberg as the original reporter.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0126 https://rhn.redhat.com/errata/RHSA-2012-0126.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html
Statement: (none)