Bug 643951 - CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs [fedora-all]
Summary: CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setui...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 12
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Andreas Schwab
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedNTH
Keywords: Reopened, Security, SecurityTracking
Depends On:
Blocks: CVE-2010-3847
TreeView+ depends on / blocked
 
Reported: 2010-10-18 15:51 UTC by Tomas Hoger
Modified: 2016-11-24 15:50 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-10-30 23:47:21 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2010-10-18 15:51:38 UTC
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=643306

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.


[bug automatically created by: add-tracking-bugs]

Comment 1 Adam Williamson 2010-10-18 17:18:48 UTC
Discussed at the 2010-10-18 Fedora 14 blocker review meeting. We definitely accept this as a nice-to-have bug (meaning we'll accept a fix for this through the release freeze) and reserve the right to accept it as a release blocker. Security team, could you please give us a summary for non-experts of the impact of this bug so we can decide whether it's a blocker or not? Your recommendation as to whether to make it a blocker would also be appreciated. Thanks. Note that to make the final release on schedule, we need a fix for this to be submitted to Koji and Bodhi today.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 2 Adam Williamson 2010-10-18 17:19:14 UTC

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 3 Tomas Hoger 2010-10-18 18:43:53 UTC
This bug allows local users to escalate their privileges.  It's most relevant for multi-user systems (where users are not expected to have root access), but this kind of flaws can also be used as the next stage of the attack, after some network facing service running as non-privileged user was compromised (think of compromised web application as an example).

I agree with NTH rather than blocker, it can be fixed via post-GA update.  If the update is available on GA date, there's little difference for users that regularly update their systems.

Comment 4 Fedora Update System 2010-10-19 12:38:06 UTC
glibc-2.12.90-17 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/glibc-2.12.90-17

Comment 5 Jan ONDREJ 2010-10-19 16:50:38 UTC
Why there is still no update for F13/F12, even if this bug was reported for Fedora 13?

Because there is an functional exploit for this bug and there is no simple workaround, update is required for all users.

Please, can you compile packages for current stable releases? Thank you.

Comment 6 Kent Engström 2010-10-19 16:59:58 UTC
This is such an easily exploited vulnerability giving root privileges
to unpriviliged users (a dozen lines of shell script works 100% of the time),
that I fear there would be severe public relations problems if Fedora
were to publish a release with this security hole present. Please don't.

Comment 7 Tomas Hoger 2010-10-19 18:12:06 UTC
(In reply to comment #5)
> Because there is an functional exploit for this bug and there is no simple
> workaround, update is required for all users.

As a workaround, you can ensure that you do not have setuid/setgid binaries and (untrusted) user writeable directories on one filesystem.  Tavis' advisory provides details on how to use bind mounts to separate user-writeable directories.

Comment 8 Adam Williamson 2010-10-19 18:14:38 UTC
"that I fear there would be severe public relations problems if Fedora
were to publish a release with this security hole present. Please don't."

I disagree. Privesc vulns aren't particularly uncommon and tend to show up regularly; we've probably shipped every release of Fedora ever with some kind of privesc vuln which was subsequently fixed in an update (I haven't checked this, but it wouldn't surprise me).

the fix can be pulled into RC1 if it gets sufficient karma in time, though, so please install it, reboot, run prelink, reboot, check the system still works, and +1 the update.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 9 Fedora Update System 2010-10-19 22:22:37 UTC
glibc-2.12.90-17 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Jan ONDREJ 2010-10-21 06:17:06 UTC
Reopening bug, still problem for currently supported stable Fedora 12. Please make an update. Thank you.

Comment 12 Andreas Schwab 2010-10-21 09:25:46 UTC
Why wasn't this filed against F12 in the first place?

Comment 13 Jan ONDREJ 2010-10-21 10:02:09 UTC
(In reply to comment #12)
> Why wasn't this filed against F12 in the first place?

I don't know. Do you need another bug for f12? I can clone it.

Comment 14 Fedora Update System 2010-10-21 12:11:38 UTC
glibc-2.11.2-2 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/glibc-2.11.2-2

Comment 15 Jesse Keating 2010-10-21 16:06:13 UTC
re-assigning to F12, removing from F14 blocker list.

Comment 16 Fedora Update System 2010-10-27 22:36:39 UTC
glibc-2.11.2-3 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update glibc'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/glibc-2.11.2-3

Comment 17 Fedora Update System 2010-10-30 23:47:04 UTC
glibc-2.11.2-3 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.