COMMAND
glibc
SYSTEMS AFFECTED
Linux
PROBLEM
Zenith Parsec found following. FOr more info, take a look at:
http://www-gnats.gnu.org:8080/cgi-bin/wwwgnats.pl/full/1883
Other related links are:
http://oliover.efri.hr/~crv/security/bugs/Linux/glibc4.html
http://oliover.efri.hr/~crv/security/bugs/mUNIXes/format3.html
Vulnerable setuid programs that come on a standard Redhat 6.1
install include, but are not limited to:
/bin/su
/bin/mount
/bin/umount
/usr/bin/at
/usr/bin/lpq
/usr/bin/passwd
/usr/bin/suidperl
/usr/sbin/usernetctl
/usr/sbin/userhelper
The environment variables involved in locale based function are
not (adequately?) sanity checked. It seems that although some
programs (possibly the libc itself?) (seem to) check that the
values do not start with ../ for .mo files, they do not (seem to)
check the entire string, making it possible to step backwards
through the directory tree, after first taking a step forward,
and to anywhere you feel like. (e.g. /tmp/hack)
This problem, combined with appropriately formed format strings
allows arbitrary instructions to be executed by modifying the
stack. Some fun not-so-arbitrary instructions could be something
like: jump to this code
setreuid(0,0);execl("/bin/sh","/bin/sh",0);
User zen is an unprivileged user:
bash# export LANGUAGE=en_US/../../../../tmp/hack
bash# /usr/bin/strace -u zen su -c
...
--lots of strace output cut--
...
open("/usr/share/locale/en_US/../../../../tmp/hack/LC_MESSAGES/sh-utils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
...
--lots more strace output cut--
...
bash#
It is possible to insert a string something like
%1$141x%81$hn%1$370x%82$hn%1$256x%83$hn%1$192x%84$hn
into a copy of sh-utils.mo and cause su to use it as the error
message, instead of
Mit `%s --help' bekommen Sie mehr Informationen.
(The difference in length isn't important for this purpose. The
rest of the file's strings aren't likely to be used.)
By manipulating the contents of of the arguments to su, you can
cause the program to execute arbitrary instructions. For example,
calling su this way:
execl("/bin/su",evil,"-c",0);
(where evil contains a string that contains pointers for the
format string to use to overwrite stack addresses, and shellcode
to be executed) will execute the shellcode with root permissions.
This has been tested on:
roothat is a Redhat 6.2 with version 2.2.16 kernel, and 2.1.3 glibc
Although RH 6.1 doesn't come with any copies of sh-util.mo by
default, it is quite easy to come by a copy to edit, due to the
all pervasive nature of GNU software:
/mnt/C/cygnus/cygwin-b20/share/locale/de/LC_MESSAGES/sh-utils.mo
libc.mo could have been used if sh-util.mo was not available, with
slight modifications to the method used to exploit it. (libc.mo
does exist in several languages in a default install).
This has also been checked on a Debian distribution, but only a
simple verification that the path problem existed was done. The
format string part is relatively easy to work out though. Another
approach is to create your own .mo files from scratch.
It's only exploitable locally. Unless in.telnetd can somehow
accept locale environment variables. Maybe with ld.so bug as
well? In which case, if someone is able to upload a poisoned .mo
file, you are well and truly fucked.
The format string given in the example writes the address
0xf1eaf00d to the stack at the address pointed to buy the list of
pointers at offsets 81-84, done this way to bypass the problem of
using a value that is too big for the format string for the %n
thing.
For a list of some other words you can make with just hex, visit:
http://homepages.ihug.co.nz/~Sneuro/totaleleet.html
cabba6e5 is a nice one, deadbeef still owns though.
SOLUTION
The problem above has been fixed in the development versions (CVS)
for glibc 2.1.x and glibc 2.2 just a few days ago.
OpenBSD and FreeBSD are not vulnerable to this.
Debian:
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-13.diff.gz
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-13.dsc
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-all/glibc-doc_2.1.3-13_all.deb
http://security.debian.org/dists/stable/updates/main/binary-all/i18ndata_2.1.3-13_all.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dbg_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dev_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-pic_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-prof_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libnss1-compat_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/locales_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/nscd_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dbg_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dev_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-pic_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-prof_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/locales_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/nscd_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dbg_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dev_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-pic_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-prof_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libnss1-compat_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/locales_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/nscd_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dbg_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dev_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-pic_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-prof_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/locales_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/nscd_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dbg_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dev_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-pic_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-prof_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/locales_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/nscd_2.1.3-13_sparc.deb
http://security.debian.org/dists/slink/updates/source/glibc_2.0.7.19981211-6.3.diff.gz
http://security.debian.org/dists/slink/updates/source/glibc_2.0.7.19981211-6.3.dsc
http://security.debian.org/dists/slink/updates/source/glibc_2.0.7.19981211.orig.tar.gz
http://security.debian.org/dists/slink/updates/binary-i386/libc6-dbg_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/libc6-dev_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/libc6-pic_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/libc6_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/locales_2.0.7.19981211-6.3_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/timezones_2.0.7.19981211-6.3_i386.deb
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/glibc-2.1.2-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-devel-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-profile-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/nscd-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/glibc-2.1.2-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-devel-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-profile-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/nscd-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/glibc-2.1.2-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-devel-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-profile-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/nscd-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/glibc-2.1.2-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-devel-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-profile-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/nscd-2.1.2-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/glibc-2.1.3-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-devel-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-profile-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/nscd-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/glibc-2.1.3-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-devel-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-profile-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/nscd-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/glibc-2.1.3-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-devel-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-profile-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/nscd-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/glibc-2.1.3-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-devel-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-profile-2.1.3-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/nscd-2.1.3-10cl.i386.rpm
For Caldera Systems:
- OpenLinux Desktop 2.3
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/glibc-2.1.1-3.i386.rpm
RPMS/glibc-devel-2.1.1-3.i386.rpm
RPMS/glibc-devel-static-2.1.1-3.i386.rpm
RPMS/glibc-localedata-2.1.1-3.i386.rpm
SRPMS/glibc-2.1.1-3.src.rpm
- OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/glibc-2.1.3-4S.i386.rpm
RPMS/glibc-devel-2.1.3-4S.i386.rpm
RPMS/glibc-devel-static-2.1.3-4S.i386.rpm
RPMS/glibc-localedata-2.1.3-4S.i386.rpm
SRPMS/glibc-2.1.3-4S.src.rpm
- OpenLinux eDesktop 2.4
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/glibc-2.1.2-7.i386.rpm
RPMS/glibc-devel-2.1.2-7.i386.rpm
RPMS/glibc-devel-static-2.1.2-7.i386.rpm
RPMS/glibc-localedata-2.1.2-7.i386.rpm
SRPMS/glibc-2.1.2-7.src.rpm
For Slackware:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/glibcso.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/d1/glibc.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/des1/descrypt.tgz
Users of Slackware 7.0, 7.1, and -current are strongly urged to
upgrade to the new glibc packages in the -current branch.
For SuSE Linux:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/shlibs-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libc-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/d2/libd-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/libc-2.1.3-154.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/shlibs-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libc-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/d2/libd-2.1.3-154.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/libc-2.1.3-154.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/shlibs-2.1.2-47.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libc-2.1.2-47.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/d2/libd-2.1.2-47.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/libc-2.1.2-47.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/shlibs-2.1.1-29.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libc-2.1.1-29.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/d2/libd-2.1.1-29.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/libc-2.1.1-29.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/shlibs-2000.9.5-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libc-2000.9.5-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/d2/libd-2000.9.5-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/libc-2000.9.5-0.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/shlibs-2.1.3-154.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libc-2.1.3-154.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d2/libd-2.1.3-154.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/libc-2.1.3-154.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/shlibs-2.1.3-154.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libc-2.1.3-154.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/d2/libd-2.1.3-154.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/libc-2.1.3-154.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/shlibs-2.1.2-47.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libc-2.1.2-47.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/d2/libd-2.1.2-47.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/libc-2.1.2-47.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/shlibs-2000.9.5-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/d1/libc-2000.9.5-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/d2/libd-2000.9.5-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/libc-2000.9.5-0.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/shlibs-2.1.3-154.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libc-2.1.3-154.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d2/libd-2.1.3-154.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/libc-2.1.3-154.src.rpm
All of these fixes are available in the CVS, or you can get them
here:
ftp://ftp.openwall.com/pvt/glibc-cvs-20000827-security-patches.tar.gz
For Linux-Mandrake:
Linux-Mandrake 7.0: 7.0/RPMS/glibc-2.1.3-16mdk.i586.rpm
7.0/RPMS/glibc-devel-2.1.3-16mdk.i586.rpm
7.0/RPMS/glibc-profile-2.1.3-16mdk.i586.rpm
7.0/SRPMS/glibc-2.1.3-16mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/glibc-2.1.3-17mdk.i586.rpm
7.1/RPMS/glibc-devel-2.1.3-17mdk.i586.rpm
7.1/RPMS/glibc-profile-2.1.3-17mdk.i586.rpm
7.1/SRPMS/glibc-2.1.3-17mdk.src.rpm
Due to the recently publicized security holes in glibc, Trustix
Secure Linux released new glibc packages. Although the security
hole seems only to be a local one, all users of Trustix
distributions are encouraged to install the new packages. The new
packages are:
glibc-2.1.3-10tr.i586.rpm
glibc-devel-2.1.3-10tr.i586.rpm
glibc-profile-2.1.3-10tr.i586.rpm
nscd-2.1.3-10tr.i586.rpm
URL: ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
For Red Hat:
ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.4.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.4.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.4.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.4.sparc.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.4.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.4.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.4.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.4.alpha.rpm
ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.4.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.4.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.4.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.4.i386.rpm
ftp://updates.redhat.com/5.2/SRPMS/glibc-2.0.7-29.4.src.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-21.sparcv9.rpm
ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-21.src.rpm
For TurboLinux:
ftp://ftp.turbolinux.com/pub/updates/6.0/glibc-2.1.2-17S.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/glibc-2.1.2-15S.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/glibc-2.1.2-17S.src.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/glibc-2.1.2-15S.src.rpm
Immunix OS updated Immunized version of glibc.
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/glibc-2.1.3-21_StackGuard.src.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/
glibc-2.1.3-21_StackGuard.i386.rpm
glibc-devel-2.1.3-21_StackGuard.i386.rpm
glibc-profile-2.1.3-21_StackGuard.i386.rpm
nscd-2.1.3-21_StackGuard.i386.rpm
CERN wrote a kernel module (named envcheck) which intercepts the
execve system call and sanitises the environment. At the cost of
a marginal performance penalty, it has the following advantages
over the glibc upgrade:
* it can log who is trying to exploit these glibc bugs
* it works with statically linked binaries
* it is transparent to applications that may be sensitive to
a change of glibc (the first upgrade from Red Hat, quoting
their advisory, "introduced some threading problems visible
with JDK and Mozilla")
* it may partially protect libc5
* it could be used as a base to check further things before
processes start: argument lengths, non-printable characters
in the environment...
The real fix is to use the new glibc and to get rid of the printf
format bugs but our module can nicely be used in the meantime...
For more information, see
http://home.cern.ch/cons/security/