Säkerhetsbulletin från Debian

DSA-039-1 glibc -- lokal filöverskrivning

Rapporterat den:
2001-03-08
Berörda paket:
glibc
Sårbara:
Ja
Referenser i säkerhetsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 2223.
I Mitres CVE-förteckning: CVE-2001-0169.
Ytterligare information:
Versionen av GNU libc som medföljer Debian GNU/Linux 2.2 hade två säkerhetsproblem:
  • Det var möjligt att använda LD_PRELOAD för att ladda bibliotek som listades i /etc/ld.so.cache, även för suid-program. Detta kunde användas för att skapa (och skriva över) filer som användaren inte skulle tillåtas.
  • Genom att använda LD_PROFILE skrev suid-program data till en fil i /var/tmp, något som inte gjordes på ett säkert sätt. Återigen kunde detta användas för att skapa (och skriva över) filer som användaren inte skulle tillåtas.
Båda problemen har rättats i version 2.1.3-17, och vi rekommenderar att du uppgraderar dina glibc-paket omedelbart.

Notera att sideffekten av denna uppgradering är att ldd inte längre fungerar på suid-program, såvida du inte är inloggad som root.

Rättat i:

Debian 2.2 (potato)

Källkod:
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-17.diff.gz
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-17.dsc
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3.orig.tar.gz
Arkitekturoberoende komponent:
http://security.debian.org/dists/stable/updates/main/binary-all/glibc-doc_2.1.3-17_all.deb
http://security.debian.org/dists/stable/updates/main/binary-all/i18ndata_2.1.3-17_all.deb
alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dbg_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dev_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-pic_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-prof_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libnss1-compat_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/locales_2.1.3-17_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/nscd_2.1.3-17_alpha.deb
arm:
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dbg_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dev_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-pic_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-prof_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libnss1-compat_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/locales_2.1.3-17_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/nscd_2.1.3-17_arm.deb
i386:
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dbg_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dev_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-pic_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-prof_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libnss1-compat_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/locales_2.1.3-17_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/nscd_2.1.3-17_i386.deb
m68k:
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6-dbg_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6-dev_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6-pic_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6-prof_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libc6_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libnss1-compat_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/locales_2.1.3-17_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/nscd_2.1.3-17_m68k.deb
powerpc:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dbg_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dev_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-pic_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-prof_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libnss1-compat_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/locales_2.1.3-17_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/nscd_2.1.3-17_powerpc.deb
sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dbg_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dev_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-pic_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-prof_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libnss1-compat_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/locales_2.1.3-17_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/nscd_2.1.3-17_sparc.deb