Impact
local privilege escalation
Solution
Please Install the Updated Packages.
Insight
The Linux C library glibc was updated to fix critical security issues and several bugs:
CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges.
This specific issue did not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed by this update nevertheless.
CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths.
This could be used by local attackers to inject code into setuid root programs and so elevated privileges.
Both of these were found by Tavis Ormandy and we thank him for finding and reporting those issues.
SUSE Linux Enterprise Server 9 is not affected by the above problems, as its glibc does neither support LD_AUDIT nor the $ORIGIN expansion required by the first problem.
On openSUSE 11.1, 11.2 and SUSE Linux Enterprise 10 Service Pack 3 and SUSE Linux Enterprise 11 GA also the following minor security issues were fixed:
CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. This would require running the code on untrusted code which we did not consider likely.
We thank Dan Rosenberg for reporting this problem.
CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab
if the addmntent() is run by a setuid mount binary that does not do extra input check, this would allow custom entries to be inserted in /etc/mtab.
We thank Dan Rosenberg and Jeff Layton for reporting this problem.
CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon().
We thank Maksymilian Arciemowicz for reporting this problem.
CVE-2010-0015: Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called " adjunct
passwd"
table, mangling it with the rest of passwd columns instead of keeping it in the shadow table. Normally, Solaris will disclose this information only to clients bound to a privileged port, but when nscd is deployed on the client, getpwnam() would disclose the password hashes to all users. New mode "
adjunct as shadow"
...
Description truncated, for more information please check the Reference URL
Affected
glibc on openSUSE 11.1, openSUSE 11.2
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2008-1391, CVE-2010-0015, CVE-2010-0296, CVE-2010-0830, CVE-2010-3847, CVE-2010-3856 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities