Debians sikkerhedsbulletin

DSA-039-1 glibc -- lokal overskrivning af fil

Rapporteret den:
8. mar 2001
Berørte pakker:
glibc
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 2223.
I Mitres CVE-ordbog: CVE-2001-0169.
Yderligere oplysninger:
Den version af GNU libc som distribueres med Debian GNU/Linux 2.2 har to sikkerhedsproblemer:
  • Det var muligt at anvende LD_PRELOAD til at indlæse biblioteker der er angivet i /etc/ld.so.cache, også suid-programmer. Dette kunne anvendes til at oprette (og overskrive) filer som brugeren ikke skulle have adgang til.
  • Ved anvendelse af LD_PROFILE skrev suid-programmer data til en fil i /var/tmp, hvilket ikke blev gjort sikkert. Igen, dette kunne anvendes til at oprette (og overskrive) filer som brugeren ikke skulle have adgang til.
Begge problemer er rettet i version 2.1.3-17 og vi anbefaler at du omgående opgraderer din glibc-pakke.

Bemærk at en følgevirkning af denne opgraderering er, at ldd ikke længere vil fungere på suid programs, med mindre du er logget ind som root.

Rettet i:

Debian 2.2 (potato)

Kildekode:
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-17.diff.gz
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-17.dsc
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/dists/stable/updates/main/binary-all/glibc-doc_2.1.3-17_all.deb
http://security.debian.org/dists/stable/updates/main/binary-all/i18ndata_2.1.3-17_all.deb
alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dbg_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dev_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-pic_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-prof_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libnss1-compat_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/locales_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/nscd_2.1.3-17_alpha.deb
arm:
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dbg_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dev_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-pic_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-prof_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libnss1-compat_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/locales_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/nscd_2.1.3-17_arm.deb
i386:
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dbg_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dev_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-pic_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-prof_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libnss1-compat_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/locales_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/nscd_2.1.3-17_i386.deb
m68k:
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6-dbg_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6-dev_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6-pic_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6-prof_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libnss1-compat_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/locales_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/nscd_2.1.3-17_m68k.deb
powerpc:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dbg_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dev_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-pic_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-prof_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libnss1-compat_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/locales_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/nscd_2.1.3-17_powerpc.deb
sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dbg_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dev_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-pic_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-prof_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libnss1-compat_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/locales_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/nscd_2.1.3-17_sparc.deb