CVE-2011-0536

CVE Details

Release Date:

2011-04-08

Description

ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536. NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program. Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.

See more information about CVE-2011-0536 from MITRE CVE dictionary and NIST NVD

CVSS v2.0 metrics

NOTE: The following CVSS v2.0 metrics and score provided are preliminary and subject to review.

Base Score:	6.9	Base Metrics:	AV:L/AC:M/Au:N/C:C/I:C/A:C
Access Vector:	Local network	Attack Complexity:	Medium
Authentication:	None required	Confidentiality Impact:	Complete
Integrity Impact:	Complete	Availability Impact:	Complete

Errata information

Platform	Errata	Release Date
Oracle Linux version 5 (glibc)	ELSA-2011-0412	2011-04-04
Oracle Linux version 6 (glibc)	ELSA-2011-0413	2011-04-04

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team