Bug 694873 – CVE-2011-1658 glibc: ld.so insecure handling of privileged programs' RPATHs with $ORIGIN

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 694873 - (CVE-2011-1658) CVE-2011-1658 glibc: ld.so insecure handling of privileged programs' RPATHs with $ORIGIN

Summary:	CVE-2011-1658 glibc: ld.so insecure handling of privileged programs' RPATHs w...

Status:	CLOSED ERRATA

Aliases:	CVE-2011-1658

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	public=20110112,reported=20110112,sou...
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2011-04-08 13:03 EDT by Vincent Danen
Modified:	2016-02-04 01:47 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-04-11 10:14:15 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Sourceware	12393	None	None	None	Never

Groups: None (edit)

Description Vincent Danen 2011-04-08 13:03:27 EDT

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1658 to
the following vulnerability:

Name: CVE-2011-1658
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1658
Assigned: 20110408
Reference: http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=667974

ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier
expands the $ORIGIN dynamic string token when RPATH is composed
entirely of this token, which might allow local users to gain
privileges by creating a hard link in an arbitrary directory to a (1)
setuid or (2) setgid program with this RPATH value, and then executing
the program with a crafted value for the LD_PRELOAD environment
variable, a different vulnerability than CVE-2010-3847 and
CVE-2011-0536.  NOTE: it is not expected that any standard
operating-system distribution would ship an applicable setuid or
setgid program.

Comment 1 Tomas Hoger 2011-04-11 10:46:20 EDT

This problem is not new, it has existed for a long time and was mentioned in the discussions of CVE-2010-3847 and CVE-2011-0536 already (see e.g. bug #667974, comment #9).  It's not clear to me why the CVE description was created in a way that only mentions one of the problems documented in the upstream bug report.

Patches described in the upstream bug:
  http://sourceware.org/bugzilla/show_bug.cgi?id=12393#c1

were added to the glibc packages in Red Hat Enterprise Linux 5 and 6 as part of the fixes for CVE-2011-0536/CVE-2010-3847 in the following errata:
  https://rhn.redhat.com/errata/RHSA-2011-0412.html
  https://rhn.redhat.com/errata/RHSA-2011-0413.html

We have rated this issue as having low security impact.  This can only be exploited via setuid or setgid binary with $ORIGIN in RPATH.  There is no such binary shipped in Red Hat Enterprise Linux.  We are not aware of any other vendor including such binary in their distribution.

As Red Hat Enterprise Linux 4 is in the maintenance phase of its life cycle and the issue has very limited impact, we currently do not plan to address this flaw in RHEL-4 glibc packages.

Note You need to log in before you can comment on or make changes to this bug.