[LWN Logo]
[Timeline]
Date:         Wed, 6 Sep 2000 12:32:37 +0200
From: Roman Drahtmueller <draht@SUSE.DE>
Subject:      SuSE Security Announcement: shlibs (glibc)
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package:                shlibs (glibc-2.0, glibc-2.1)
        Date:                   Wednesday, September 6th, 2000 12:30 MEST
        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
        Vulnerability Type:     local root compromise
        Severity (1-10):        9
        SuSE default package:   yes
        Other affected systems: all glibc based linux systems, other
                                                        Un*x systems

    Content of this advisory:
        1) security vulnerability resolved: shlibs (glibc)
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, temporary workarounds
        3) standard appendix (further information)


______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

    The glibc implementations in all SuSE distributions starting with
    SuSE-6.0 have multiple security problems where at least one of them
    allows any local user to gain root access to the system.

    a) ld-linux.so.2, the runtime linker, is supposed to clean environment
    variables that may influence the execution of programs ran by a
    suid program. Variables of that kind include LD_LIBRARY_PATH and
    LD_PRELOAD. These variables do not have any effect on the suid
    application itself since the linker ignores them. However, if the
    suid program executes another non-suid application without dropping
    privileges and without cleaning the environment, the LD_* variables
    would allow an attacker to execute arbitrary code as the effective
    uid of the calling suid program. There is currently no program in the
    SuSE distribution known to be susceptible to this problem.

    b) locale handling portions of the glibc code fails to properly check
    given environment settings such as the variable LANGUAGE. This could
    lead to arbitrary code being executed as root, depending on the
    permissions and ownerships of the program being used for the exploit.

    c) A bug in the mutex handling code in the shlibs version for SuSE-7.0
    could cause multithreaded applications to hang or crash. This has also
    been fixed.

    There is only one way to temporarily circumvent the exploit: Disable
    all suid applications in the system.

    SuSE provides a updated packages for the vulnerable libraries. It is
    strongly recommended to upgrade to the latest version found on our
    ftp server as described below. The update packages remove all currently
    known security problems in the glibc package.

    Download the update packages as described below and install the
    package with the command `rpm -Fhv file.rpm'. The md5sum for each
    file is in the line below. You can verify the integrity of the rpm
    files using the command
        `rpm --checksig --nogpg file.rpm',
    independently from the md5 signatures below.

    SPECIAL INSTALL INSTRUCTIONS:
    Note that the complete update consists of three (3) binary rpm
    packages and one source rpm package per distribution and platform.
    libc-*.rpm contains the static libraries, libd is the package for
    the profiling+debugging version of the libraries.

    If at all possible, keep your machine calm while you perform the
    update. Execute the following commands after the rpm update has been
    applied:

            /sbin/ldconfig      # alternatively, use SuSEconfig
            /sbin/init u        # will restart init to make a clean shutdown
                                # possible once needed.

  i386 Intel Platform:

    SuSE-7.0
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/shlibs-2.1.3-154.i386.rpm
      753176172ebf628c6567c70a9b950933
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libc-2.1.3-154.i386.rpm
      0f0696fc359cdb7b13f40a52d6676f09
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/d2/libd-2.1.3-154.i386.rpm
      4ca3268f91a9294313cf871e9f7cb8b8
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/libc-2.1.3-154.src.rpm
      a6af3232fe6d474d6309c68469c126ec

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/shlibs-2.1.3-154.i386.rpm
      150dcb3854b066c021c396b4a0fe25e6
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libc-2.1.3-154.i386.rpm
      75c9aef75d6e7e4b196c21bb500d00e0
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/d2/libd-2.1.3-154.i386.rpm
      47fff508b0b67a82356361aa23c8beae
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/libc-2.1.3-154.src.rpm
      bfeaa4e15ecbe1fea986b710152b5fec

    SuSE-6.3
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/a1/shlibs-2.1.2-47.i386.rpm
      8e88f237414a4d8f96131b17267b4d53
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libc-2.1.2-47.i386.rpm
      575bb0c94474add7ae02333cbb77cba0
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/d2/libd-2.1.2-47.i386.rpm
      8728db143b6393a261aa9060d9321345
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/libc-2.1.2-47.src.rpm
      eea1810dceafe5e7f77b4b5137829834

    SuSE-6.2
    ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/shlibs-2.1.1-29.i386.rpm
      78360eddc58f3897a14327d2fa214191
    ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libc-2.1.1-29.i386.rpm
      456cad1d8034d40ebbf8337d1308c4de
    ftp://ftp.suse.com/pub/suse/i386/update/6.2/d2/libd-2.1.1-29.i386.rpm
      6dccdf557c6d329b40238a1644368564
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/libc-2.1.1-29.src.rpm
      cec489c212826cb2dcc65a602da61da3

    SuSE-6.1
    ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/shlibs-2000.9.5-0.i386.rpm
      7a272e7f15fd2dec69401d4c788de015
    ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libc-2000.9.5-0.i386.rpm
      c748944bbe8a55f69478e6ef0bda843a
    ftp://ftp.suse.com/pub/suse/i386/update/6.1/d2/libd-2000.9.5-0.i386.rpm
      7fce2e2e41b62dc985e48ee31f6dac1c
    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/libc-2000.9.5-0.src.rpm
      77fa60f5a3a10e02460bd1960b1f78f6

    Please use the packages from the SuSE-6.1 directory for SuSE-6.0!



  Sparc Platform:

    SuSE-7.0:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/shlibs-2.1.3-154.sparc.rpm
      1563171d7ee17a3048500afd4424927d
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libc-2.1.3-154.sparc.rpm
      a907fbb3e5e48664cadb6b75570e15b2
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d2/libd-2.1.3-154.sparc.rpm
      f60071e3a497e3af48078338b3bd6610
    source rpm:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/libc-2.1.3-154.src.rpm
      690a34f9ddb6bd6edf41a07d5fba0ad4



  AXP Alpha Platform:

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/shlibs-2.1.3-154.alpha.rpm
      d08a782d1dc1cc406b2141727295befe
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libc-2.1.3-154.alpha.rpm
      730c9b3c98f9d243c09ce41c5c4240a5
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/d2/libd-2.1.3-154.alpha.rpm
      0c2ba3d11a42d84f48b1ee79a15e36b2
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/libc-2.1.3-154.src.rpm
      a5f2a207c6f8b179bbd91cea9c96711d

    SuSE-6.3
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/a1/shlibs-2.1.2-47.alpha.rpm
      afc0ac7f3db066702fbd19bfaa216751
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libc-2.1.2-47.alpha.rpm
      3530ef711231a5b378d14fe70e2971f6
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/d2/libd-2.1.2-47.alpha.rpm
      5836a7a1557046b0c3498b7dec1ee436
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/libc-2.1.2-47.src.rpm
      0100769ad09d68563a7540ba73c826d7

    SuSE-6.1
    ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/shlibs-2000.9.5-0.alpha.rpm
      64c59dcb13069293694faf845446463e
    ftp://ftp.suse.com/pub/suse/axp/update/6.1/d1/libc-2000.9.5-0.alpha.rpm
      2b8df961dcfb42933cdf298f9229cffd
    ftp://ftp.suse.com/pub/suse/axp/update/6.1/d2/libd-2000.9.5-0.alpha.rpm
      75dd4bcfb0bf2cc64fe8dd5bfc4a69f0
    source rpm:
    ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/libc-2000.9.5-0.src.rpm
      11871baa8279f8c0c79f6c9d95ca531c


  PPC Power PC Platform:

    SuSE-6.4
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/shlibs-2.1.3-154.ppc.rpm
      8565cd463e4fbbccc39aa96f1eefdc70
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libc-2.1.3-154.ppc.rpm
      987ed3d338fb7c42083cf6dd2057ce0b
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d2/libd-2.1.3-154.ppc.rpm
      a212f188cf31d55c2016236d2c313cf4
    source rpm:
    ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/libc-2.1.3-154.src.rpm
      401b4f2f306a065fb04edd89cd153364

______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    This section addresses currently known vulnerabilities in Linux/Unix
    systems that have not been resolved yet as of the release date of
    this advisory.

     - screen

        local root compromise. Update+advisory follows this advisory.

     - zope

        SuSE distributions before 7.0 do not contain zope as a package.
        An updated package for the freshly released SuSE-7.0 is on the way.

     - xchat

        A fix for the URL handler vulnerabilty is in progress and will
        be released within a few days. There is currently no effective
        and easy workaround other than removing the package by hand
        (`rpm -e xchat'). More information on xchat can be found in
        xchat's documentation directory /usr/doc/packages/xchat or
        /usr/share/doc/packages/xchat for SuSE-7.0.

______________________________________________________________________________

3)  standard appendix:

    SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        -   SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    ===============================================
    SuSE's security contact is <security@suse.com>.
    ===============================================

Regards,
Roman Drahtmüller.
- - --
 -                                                                      -
| Roman Drahtmüller      <draht@suse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way.
    SuSE GmbH makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBObYa53ey5gA9JdPZAQHOcwf/Xwz2AsyelEXHA9KA+9/b5ZpEPu0hnySF
KjADn6wLGDGdUBb70IszsIWbxg5XUXkQ4rjmHgE2IXmZG+euD+KW7Y9QPNTGpt5/
JD9lQAaqlqSOFr6/CuD44ZaU/hUGELeMIyG0YDCG27zQwWGigjJwdeyuDeqif0+M
MGDnBqW+GS/LXaLd7Yb4QIocFDKzYFHqGPbYIP3vEAkTpT/gBV6C51E7NBDE8Bwm
3k8PvrHIoq/ovlUEqMbeEETskjMuGQfkUPHfVDV0um96RpsdKEHQIBdCfeMBTe5P
ZL/aLeMwDdN6kKNAeouKDszWz453uXuWo0h8cZCJG2/Z1bNtoEi9Aw==
=iM4f
-----END PGP SIGNATURE-----