Release Date: | 2011-01-07 |
elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory. ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536. NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program. Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.
See more information about CVE-2010-3847 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v2.0 metrics and score provided are preliminary and subject to review.
Base Score: | 6.9 | Base Metrics: | AV:L/AC:M/Au:N/C:C/I:C/A:C |
Access Vector: | Local network | Attack Complexity: | Medium |
Authentication: | None required | Confidentiality Impact: | Complete |
Integrity Impact: | Complete | Availability Impact: | Complete |
Platform | Errata | Release Date |
Oracle Linux version 5 (glibc) | ELSA-2010-0787 | 2010-10-21 |
Oracle Linux version 6 (glibc) | ELSA-2010-0872 | 2011-02-10 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team