Bug 599056 - (CVE-2010-0830) CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info
CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 716899 767685 767687 769360
Blocks: 767564
  Show dependency treegraph
Reported: 2010-06-02 11:30 EDT by Jan Lieskovsky
Modified: 2016-02-04 01:48 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-02-13 15:53:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-06-02 11:30:05 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0830 to
the following vulnerability:

Integer signedness error in the elf_get_dynamic_info function in
elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
2.0.1 through 2.11.1, when the --verify option is used, allows
user-assisted remote attackers to execute arbitrary code via a crafted
ELF program with a negative value for a certain d_tag structure member
in the ELF header.

  [1] http://drosenbe.blogspot.com/2010/05/integer-overflow-in-ldso-cve-2010-0830.html
  [2] http://frugalware.org/security/662
  [3] http://sourceware.org/git/?p=glibc.git;a=commit;h=db07e962b6ea963dbb345439f6ab9b0cf74d87c5
  [4] http://www.ubuntu.com/usn/USN-944-1
  [5] http://www.securityfocus.com/bid/40063
  [6] http://securitytracker.com/id?1024044
  [7] http://secunia.com/advisories/39900
  [8] http://www.vupen.com/english/advisories/2010/1246
  [9] http://xforce.iss.net/xforce/xfdb/58915
Comment 2 Tomas Hoger 2011-02-02 12:34:42 EST
As noted in Dan's blog post, this issue is only relevant in very rare cases where linker is run directly with --verify on the crafted ELF file.  In normal use, loader load ELF file and executes code in it, which naturally leads to arbitrary code execution even without this flaw.  ldd also calls loader with --verify, but there are other known ways ldd can unexpectedly execute the code from the ELF file:


This bug is corrected in RHEL-6 glibc packages, which include the upstream patch linked above.
Comment 7 Murray McAllister 2012-01-05 05:52:24 EST

Red Hat would like to thank the Ubuntu Security Team for reporting this issue. The Ubuntu Security Team acknowledges Dan Rosenberg as the original reporter.
Comment 8 errata-xmlrpc 2012-02-13 15:35:02 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0126 https://rhn.redhat.com/errata/RHSA-2012-0126.html
Comment 9 errata-xmlrpc 2012-02-13 15:35:33 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html
Comment 10 Vincent Danen 2012-02-13 15:53:49 EST


Note You need to log in before you can comment on or make changes to this bug.