On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=25204
LD_PREFER_MAP_32BIT_EXEC is an environment variable that can be set to let the dynamic linker first try to map executable pages using the mmap flag MAP_32BIT, which will map to the low 2 GB of the address space. According to the documentation, LD_PREFER_MAP_32BIT_EXEC should be disabled for setuid binaries, however the code using it (https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h;h=0e95221908b07eb29c33deda31e6e830ae151fbe;hb=2a764c6ee848dfe92cb2921ed3b14085f15d9e79#l32) is run before the code that removes security-sensitive environment variables.
Upstream patch: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5dfad4326fc683c813df1e37bbf5cf920591c8e
Issue introduced in: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=object;h=b9eb92ab05204df772eb4929eccd018637c9f3e9
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1828 https://access.redhat.com/errata/RHSA-2020:1828
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19126
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3861 https://access.redhat.com/errata/RHSA-2020:3861