Overview
The GNU libc library fails to perform a check for the SETUID bit for cached libraries in the /etc/ld.so.cache file. As a result, malicious users may create or modify privileged files.
Description
The GNU libc library allows preloading libraries via the LD_PRELOAD environment variable, provided the entries in the variable don't contain the / character. When running a SUID program, the library also checks to ensure the library being loaded is SUID. Unfortunately, this check is skipped if the library is already in the /etc/ld.so.cache file. |
Impact
Malicious users may pre-load libraries into the cache file, and use those libraries to create or modify privileged files. |
Solution
Apply patches available from your operating system vendor; see below. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.securityfocus.com/bid/2223
- http://www.linuxsecurity.com/advisories/redhat_advisory-1045.html
- http://www.linuxsecurity.com/advisories/debian_advisory-1198.html
- http://www.linuxsecurity.com/advisories/other_advisory-1349.html
- http://www.linuxsecurity.com/advisories/other_advisory-1130.html
- http://www.linuxsecurity.com/advisories/mandrake_advisory-1061.html
- http://www.linuxsecurity.com/advisories/turbolinux_advisory-1158.html
- http://www.linuxsecurity.com/advisories/suse_advisory-1092.html
- http://www.linuxsecurity.com/advisories/caldera_advisory-1085.html
- http://www.linuxsecurity.com/advisories/other_advisory-1069.html
Acknowledgements
Our thanks to Red-Hat Security for identifying this problem.
This document was last modified by Tim Shimeall
Other Information
| CVE IDs: | CVE-2001-0169 |
| Severity Metric: | 11.99 |
| Date Public: | 2001-01-18 |
| Date First Published: | 2001-05-14 |
| Date Last Updated: | 2001-06-20 14:13 UTC |
| Document Revision: | 14 |