COMMAND
glibc
SYSTEMS AFFECTED
glibc up to 2.1.3
PROBLEM
Jouko Pynnen found following. A vulnerability exists in glibc
versions up to version 2.1.3, ie. all released versions, allowing
local users to get root access.
The bug is exploitable if 1) there exists a suid/sgid installed
program that uses the locale functions of glibc, and 2) the
standard locale _directories_ exist in /usr/share/locale/.
Unfortunately, all common Linux installations to my knowledge
fulfill these two conditions by default.
There are numerous programs that can be used for exploiting this
bug. Anything that's setuid/setgid and calls gettext() is
dangerous, however not necessarily exploitable. The function is
also called in an exploitable way from some other common libc
functions such as getopts(). With an exploit script Jouko has
been able to get root access using at least the following
programs: at, chage, crontab, login, mount, rlogin, su, umount.
The problem has been tested on RedHat 6.0 and 6.1, Debian,
Slackware, and LinuxPPC-1999. However the list of exploitable
programs varies between different distributions.
Since all released glibc versions are vulnerable, it wouldn't
probably serve the purpose to go in the goriest details now.
That's why this description is a mere outlining of the problem,
although more details will follow later.
The effective part of the bug resides in locale file loading
functions. Some careless code in there fails to detect if a user
defineable locale file is inside the default locale directory
hierarchy (/usr/share/locale/) or outside it. The result is that
a malicious user can feed his/her own locale files and that way,
translation strings to locale-aware programs. These strings are
often used as format strings in setuid root programs which leads
to problems as seen in recent exploits.
This vulnerability was discovered by: Esa Etelvuori.
SOLUTION
Fix packages for most major Linux distributions have been
released or will be released within a day or two. There's also a
quick workaround described below. Note that this is different
from the "unsetenv" bug.
A quick workaround is to remove (or move elsewhere) the files
under /usr/share/locale/ until the library itself has been fixed;
or simply
mv /usr/share/locale /usr/share/locale.old
OpenBSD and FreeBSD are not vulnerable to this.
Debian:
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-13.diff.gz
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-13.dsc
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-all/glibc-doc_2.1.3-13_all.deb
http://security.debian.org/dists/stable/updates/main/binary-all/i18ndata_2.1.3-13_all.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dbg_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dev_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-pic_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-prof_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libnss1-compat_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/locales_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/nscd_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dbg_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dev_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-pic_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-prof_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/locales_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/nscd_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dbg_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dev_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-pic_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-prof_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libnss1-compat_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/locales_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/nscd_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dbg_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dev_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-pic_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-prof_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/locales_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/nscd_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dbg_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dev_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-pic_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-prof_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/locales_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/nscd_2.1.3-13_sparc.deb
http://security.debian.org/dists/slink/updates/source/glibc_2.0.7.19981211-6.3.diff.gz
http://security.debian.org/dists/slink/updates/source/glibc_2.0.7.19981211-6.3.dsc
http://security.debian.org/dists/slink/updates/source/glibc_2.0.7.19981211.orig.tar.gz
http://security.debian.org/dists/slink/updates/binary-i386/libc6-dbg_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/libc6-dev_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/libc6-pic_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/libc6_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/locales_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/timezones_2.0.7.19981211-6.3_i386.deb
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/glibc-2.1.2-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-devel-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-profile-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/nscd-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/glibc-2.1.2-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-devel-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-profile-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/nscd-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/glibc-2.1.2-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-devel-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-profile-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/nscd-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/glibc-2.1.2-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-devel-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-profile-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/nscd-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/glibc-2.1.3-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-devel-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-profile-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/nscd-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/glibc-2.1.3-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-devel-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-profile-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/nscd-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/glibc-2.1.3-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-devel-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-profile-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/nscd-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/glibc-2.1.3-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-devel-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-profile-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/nscd-2.1.3-10cl.i386.rpm
For Caldera Systems:
- OpenLinux Desktop 2.3
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/glibc-2.1.1-3.i386.rpm
RPMS/glibc-devel-2.1.1-3.i386.rpm
RPMS/glibc-devel-static-2.1.1-3.i386.rpm
RPMS/glibc-localedata-2.1.1-3.i386.rpm
SRPMS/glibc-2.1.1-3.src.rpm
- OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/glibc-2.1.3-4S.i386.rpm
RPMS/glibc-devel-2.1.3-4S.i386.rpm
RPMS/glibc-devel-static-2.1.3-4S.i386.rpm
RPMS/glibc-localedata-2.1.3-4S.i386.rpm
SRPMS/glibc-2.1.3-4S.src.rpm
- OpenLinux eDesktop 2.4
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/glibc-2.1.2-7.i386.rpm
RPMS/glibc-devel-2.1.2-7.i386.rpm
RPMS/glibc-devel-static-2.1.2-7.i386.rpm
RPMS/glibc-localedata-2.1.2-7.i386.rpm
SRPMS/glibc-2.1.2-7.src.rpm
For Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/glibcso.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/d1/glibc.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/des1/descrypt.tgz
Users of Slackware 7.0, 7.1, and -current are strongly urged to
upgrade to the new glibc packages in the -current branch.
For SuSE Linux:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/shlibs-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libc-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/d2/libd-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/libc-2.1.3-154.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/shlibs-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libc-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/d2/libd-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/libc-2.1.3-154.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/shlibs-2.1.2-47.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libc-2.1.2-47.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/d2/libd-2.1.2-47.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/libc-2.1.2-47.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/shlibs-2.1.1-29.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libc-2.1.1-29.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/d2/libd-2.1.1-29.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/libc-2.1.1-29.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/shlibs-2000.9.5-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libc-2000.9.5-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/d2/libd-2000.9.5-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/libc-2000.9.5-0.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/shlibs-2.1.3-154.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libc-2.1.3-154.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d2/libd-2.1.3-154.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/libc-2.1.3-154.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/shlibs-2.1.3-154.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libc-2.1.3-154.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/d2/libd-2.1.3-154.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/libc-2.1.3-154.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/shlibs-2.1.2-47.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libc-2.1.2-47.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/d2/libd-2.1.2-47.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/libc-2.1.2-47.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/shlibs-2000.9.5-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/d1/libc-2000.9.5-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/d2/libd-2000.9.5-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/libc-2000.9.5-0.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/shlibs-2.1.3-154.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libc-2.1.3-154.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d2/libd-2.1.3-154.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/libc-2.1.3-154.src.rpm
All of these fixes are available in the CVS, or you can get them
here:
ftp://ftp.openwall.com/pvt/glibc-cvs-20000827-security-patches.tar.gz
For Linux-Mandrake:
Linux-Mandrake 7.0: 7.0/RPMS/glibc-2.1.3-16mdk.i586.rpm
7.0/RPMS/glibc-devel-2.1.3-16mdk.i586.rpm
7.0/RPMS/glibc-profile-2.1.3-16mdk.i586.rpm
7.0/SRPMS/glibc-2.1.3-16mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/glibc-2.1.3-17mdk.i586.rpm
7.1/RPMS/glibc-devel-2.1.3-17mdk.i586.rpm
7.1/RPMS/glibc-profile-2.1.3-17mdk.i586.rpm
7.1/SRPMS/glibc-2.1.3-17mdk.src.rpm
Due to the recently publicized security holes in glibc, Trustix
Secure Linux released new glibc packages. Although the security
hole seems only to be a local one, all users of Trustix
distributions are encouraged to install the new packages. The new
packages are:
glibc-2.1.3-10tr.i586.rpm
glibc-devel-2.1.3-10tr.i586.rpm
glibc-profile-2.1.3-10tr.i586.rpm
nscd-2.1.3-10tr.i586.rpm
URL: ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
For Red Hat:
ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.4.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.4.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.4.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.4.sparc.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.4.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.4.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.4.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.4.alpha.rpm
ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.4.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.4.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.4.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.4.i386.rpm
ftp://updates.redhat.com/5.2/SRPMS/glibc-2.0.7-29.4.src.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-21.sparcv9.rpm
ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-21.src.rpm
For TurboLinux:
ftp://ftp.turbolinux.com/pub/updates/6.0/glibc-2.1.2-17S.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/glibc-2.1.2-15S.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/glibc-2.1.2-17S.src.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/glibc-2.1.2-15S.src.rpm
Immunix OS updated Immunized version of glibc.
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/glibc-2.1.3-21_StackGuard.src.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/
glibc-2.1.3-21_StackGuard.i386.rpm
glibc-devel-2.1.3-21_StackGuard.i386.rpm
glibc-profile-2.1.3-21_StackGuard.i386.rpm
nscd-2.1.3-21_StackGuard.i386.rpm
CERN wrote a kernel module (named envcheck) which intercepts the
execve system call and sanitises the environment. At the cost of
a marginal performance penalty, it has the following advantages
over the glibc upgrade:
* it can log who is trying to exploit these glibc bugs
* it works with statically linked binaries
* it is transparent to applications that may be sensitive to
a change of glibc (the first upgrade from Red Hat, quoting
their advisory, "introduced some threading problems visible
with JDK and Mozilla")
* it may partially protect libc5
* it could be used as a base to check further things before
processes start: argument lengths, non-printable characters
in the environment...
The real fix is to use the new glibc and to get rid of the printf
format bugs but our module can nicely be used in the meantime...
For more information, see
http://home.cern.ch/cons/security/