Bug 692393 - (CVE-2009-5064) CVE-2009-5064 glibc: ldd unexpected code execution issue
CVE-2009-5064 glibc: ldd unexpected code execution issue
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20091026,reported=2...
: Security
Depends On: 531160 713134 716899 767685 767687 769360
Blocks: 734217 767564
  Show dependency treegraph
 
Reported: 2011-03-31 04:41 EDT by Tomas Hoger
Modified: 2016-02-04 01:48 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-13 15:59:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Novell 684385 None None None Never

  None (edit)
Description Tomas Hoger 2011-03-31 04:41:25 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5064 to the following vulnerability:

** DISPUTED ** ldd in the GNU C Library (aka glibc or libc6) 2.13 and
earlier allows local users to gain privileges via a Trojan horse
executable file linked with a modified loader that omits certain
LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states
"This is just nonsense. There are a gazillion other ways to introduce
code if people are downloading arbitrary binaries and install them in
appropriate directories or set LD_LIBRARY_PATH etc."


References:
http://reverse.lostrealm.com/protect/ldd.html
http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
http://thread.gmane.org/gmane.comp.security.oss.general/4427
https://bugzilla.redhat.com/show_bug.cgi?id=531160
Comment 2 errata-xmlrpc 2011-12-06 12:46:53 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1526 https://rhn.redhat.com/errata/RHSA-2011-1526.html
Comment 6 errata-xmlrpc 2012-02-13 15:35:13 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0126 https://rhn.redhat.com/errata/RHSA-2012-0126.html
Comment 7 errata-xmlrpc 2012-02-13 15:35:50 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html
Comment 8 Vincent Danen 2012-02-13 15:59:39 EST
Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.