COMMAND

    glibc

SYSTEMS AFFECTED

    Linux

PROBLEM

    Charles Stevenson posted following.  This has been bouncing around
    on vuln-dev and the debian-devel lists. It effects glibc >= 2.1.9x
    and it would  seem many if  not all OSes  using these versions  of
    glibc.  Ben Collins writes,  "This wasn't supposed to happen,  and
    the actual fix was a missing comma in the list of secure env  vars
    that  were  supposed  to  be  cleared  when  a  program  starts up
    suid/sgid (including RESOLV_HOST_CONF)."  The exploit varies  from
    system to  system but  in devel  version of  Yellow Dog Linux they
    were able to print  the /etc/shadow file as  a normal user in  the
    following manner:

        export RESOLV_HOST_CONF=/etc/shadow
        ssh whatever.host.com

    Other programs have the same effect depending on the defaults  for
    the system.  Charles  has tested this on  Red Hat 7.0, Yellow  Dog
    Linux 2.0 (prerelease),  and Debian Woody.   Others have  reported
    similar results on slackware and even "home brew[ed]" GNU/Linux.

    Further tests showed other glibc versions to be vulnerable  (glibc
    2.2, 2.2.9, etc).

    That exploit  can use  any suid  root program  which resolves host
    names or more properly, an  suid root program which resolves  host
    names _while  still holding  root privileges_.   ping from  netkit
    and traceroute from  LBNL do not  fall into this  category.  fping
    from SATAN, however, does.

SOLUTION

    And a patch.  Yeah, it's pretty obvious, but nobody's produced  it
    yet.  Of course, it'll take you forever to *compile* the thing.

    Index: sysdeps/generic/unsecvars.h
    ===================================================================
    RCS file: /cvs/glibc/libc/sysdeps/generic/unsecvars.h,v
    retrieving revision 1.1
    retrieving revision 1.3
    diff -u -d -b -r1.1 -r1.3
    --- unsecvars.h	2000/09/26 09:31:25	1.1
    +++ unsecvars.h	2001/01/08 17:54:58	1.3
    @@ -1,11 +1,12 @@
     /* Environment variable to be removed for SUID programs.  */
     #define UNSECURE_ENVVARS \
       "GCONV_PATH",								      \
    +  "HOSTALIASES",							      \
       "LOCALDOMAIN",							      \
       "LOCPATH",								      \
       "MALLOC_TRACE",							      \
       "NLSPATH",								      \
    -  "RESOLV_HOST_CONF"							      \
    +  "RESOLV_HOST_CONF",							      \
       "RES_OPTIONS",							      \
       "TMPDIR",								      \
       "TZDIR"
    Index: resolv/res_query.c
    ===================================================================
    RCS file: /cvs/glibc/libc/resolv/res_query.c,v
    retrieving revision 1.15
    retrieving revision 1.16
    diff -u -d -b -r1.15 -r1.16
    --- res_query.c	2000/07/19 21:59:47	1.15
    +++ res_query.c	2001/01/08 17:55:24	1.16
    @@ -371,7 +371,7 @@

 	    if (statp->options & RES_NOALIASES)
 		    return (NULL);
    -	file = __secure_getenv("HOSTALIASES");
    +	file = getenv("HOSTALIASES");
 	    if (file == NULL || (fp = fopen(file, "r")) == NULL)
 		    return (NULL);
 	    setbuf(fp, NULL);

    The latest *released* Debian  (2.2, aka potato) is  not vulnerable
    to this problem, since it uses glibc 2.1.3.

    For RedHat:

        ftp://updates.redhat.com/7.0/SRPMS/glibc-2.2-12.src.rpm
        ftp://updates.redhat.com/7.0/alpha/glibc-2.2-12.alpha.rpm
        ftp://updates.redhat.com/7.0/alpha/glibc-2.2-12.alpha.rpm
        ftp://updates.redhat.com/7.0/alpha/glibc-common-2.2-12.alpha.rpm
        ftp://updates.redhat.com/7.0/alpha/glibc-devel-2.2-12.alpha.rpm
        ftp://updates.redhat.com/7.0/alpha/glibc-profile-2.2-12.alpha.rpm
        ftp://updates.redhat.com/7.0/alpha/nscd-2.2-12.alpha.rpm
        ftp://updates.redhat.com/7.0/alphaev6/glibc-2.2-12.alphaev6.rpm
        ftp://updates.redhat.com/7.0/i386/glibc-2.2-12.i386.rpm
        ftp://updates.redhat.com/7.0/i386/glibc-common-2.2-12.i386.rpm
        ftp://updates.redhat.com/7.0/i386/glibc-devel-2.2-12.i386.rpm
        ftp://updates.redhat.com/7.0/i386/glibc-profile-2.2-12.i386.rpm
        ftp://updates.redhat.com/7.0/i386/nscd-2.2-12.i386.rpm
        ftp://updates.redhat.com/7.0/i686/glibc-2.2-12.i686.rpm

    For Slackware:

        ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/glibcso.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/d1/glibc.tgz

    For Immunix OS:

        http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/glibc-2.2-12_imnx_7.i386.rpm
        http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/glibc-common-2.2-12_imnx_7.i386.rpm
        http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/glibc-devel-2.2-12_imnx_7.i386.rpm
        http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/glibc-profile-2.2-12_imnx_7.i386.rpm
        http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/nscd-2.2-12_imnx_7.i386.rpm
        http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/glibc-2.2-12_imnx_7.src.rpm
        http://immunix.org/ImmunixOS/6.2/updates/RPMS/glibc-2.1.3-22_StackGuard_1.i386.rpm
        http://immunix.org/ImmunixOS/6.2/updates/RPMS/glibc-devel-2.1.3-22_StackGuard_1.i386.rpm
        http://immunix.org/ImmunixOS/6.2/updates/RPMS/glibc-profile-2.1.3-22_StackGuard_1.i386.rpm
        http://immunix.org/ImmunixOS/6.2/updates/RPMS/nscd-2.1.3-22_StackGuard_1.i386.rpm
        http://immunix.org/ImmunixOS/6.2/updates/SRPMS/glibc-2.1.3-22_StackGuard_1.src.rpm

    For Linux-Mandrake:

        Linux-Mandrake 6.0: 6.0/RPMS/glibc-2.1.3-18.2mdk.i586.rpm
                            6.0/RPMS/glibc-devel-2.1.3-18.2mdk.i586.rpm
                            6.0/RPMS/glibc-profile-2.1.3-18.2mdk.i586.rpm
                            6.0/SRPMS/glibc-2.1.3-18.2mdk.src.rpm
        Linux-Mandrake 6.1: 6.1/RPMS/glibc-2.1.3-18.2mdk.i586.rpm
                            6.1/RPMS/glibc-devel-2.1.3-18.2mdk.i586.rpm
                            6.1/RPMS/glibc-profile-2.1.3-18.2mdk.i586.rpm
                            6.1/SRPMS/glibc-2.1.3-18.2mdk.src.rpm
        Linux-Mandrake 7.0: 7.0/RPMS/glibc-2.1.3-18.2mdk.i586.rpm
                            7.0/RPMS/glibc-devel-2.1.3-18.2mdk.i586.rpm
                            7.0/RPMS/glibc-profile-2.1.3-18.2mdk.i586.rpm
                            7.0/SRPMS/glibc-2.1.3-18.2mdk.src.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/glibc-2.1.3-18.1mdk.i586.rpm
                            7.1/RPMS/glibc-devel-2.1.3-18.1mdk.i586.rpm
                            7.1/RPMS/glibc-profile-2.1.3-18.1mdk.i586.rpm
                            7.1/SRPMS/glibc-2.1.3-18.1mdk.src.rpm
        Linux-Mandrake 7.2: 7.2/RPMS/glibc-2.1.3-18.3mdk.i586.rpm
                            7.2/RPMS/glibc-devel-2.1.3-18.3mdk.i586.rpm
                            7.2/RPMS/glibc-profile-2.1.3-18.3mdk.i586.rpm
                            7.2/SRPMS/glibc-2.1.3-18.3mdk.src.rpm
    Corporate Server 1.0.1: 1.0.1/RPMS/glibc-2.1.3-18.1mdk.i586.rpm
                            1.0.1/RPMS/glibc-devel-2.1.3-18.1mdk.i586.rpm
                            1.0.1/RPMS/glibc-profile-2.1.3-18.1mdk.i586.rpm
                            1.0.1/SRPMS/glibc-2.1.3-18.1mdk.src.rpm

    Trustix is, like  many other linux  distributions, based on  Glibc
    2.1.3 and  is therefore  open to  the "preload  hole" discussed in
    various postings  to bugtraq  and other  lists.   This is  a local
    security hole, and all users of TSL should upgrade their boxes:

        1.2: glibc-2.1.3-14tr.i586.rpm
             glibc-devel-2.1.3-14tr.i586.rpm
             glibc-profile-2.1.3-14tr.i586.rpm
             nscd-2.1.3-14tr.i586.rpm

        1.1: glibc-2.1.3-14tr.i586.rpm
             glibc-devel-2.1.3-14tr.i586.rpm
             glibc-profile-2.1.3-14tr.i586.rpm
             nscd-2.1.3-14tr.i586.rpm

        1.0: Use the 1.1 packages.

    For Caldera Linux:

        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
              RPMS/glibc-2.1.3-6OL.i386.rpm
              RPMS/glibc-devel-2.1.3-6OL.i386.rpm
              RPMS/glibc-devel-static-2.1.3-6OL.i386.rpm
              RPMS/glibc-localedata-2.1.3-6OL.i386.rpm
              SRPMS/glibc-2.1.3-6OL.src.rpm

        ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
        ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
              RPMS/glibc-2.1.3-6S.i386.rpm
              RPMS/glibc-devel-2.1.3-6S.i386.rpm
              RPMS/glibc-devel-static-2.1.3-6S.i386.rpm
              RPMS/glibc-localedata-2.1.3-6S.i386.rpm
              SRPMS/glibc-2.1.3-6S.src.rpm

        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
              RPMS/glibc-2.1.3-6.i386.rpm
              RPMS/glibc-devel-2.1.3-6.i386.rpm
              RPMS/glibc-devel-static-2.1.3-6.i386.rpm
              RPMS/glibc-localedata-2.1.3-6.i386.rpm
              SRPMS/glibc-2.1.3-6.src.rpm

    Packages can be downloaded from:

        ftp://ftp.trustix.net/pub/Trustix/updates/
        http://www.trustix.net/pub/Trustix/updates/