The GNU libc library fails to perform a check for the SETUID bit for cached libraries in the /etc/ld.so.cache file. As a result, malicious users may create or modify privileged files.
The GNU libc library allows preloading libraries via the LD_PRELOAD environment variable, provided the entries in the variable don't contain the / character. When running a SUID program, the library also checks to ensure the library being loaded is SUID. Unfortunately, this check is skipped if the library is already in the /etc/ld.so.cache file.
Malicious users may pre-load libraries into the cache file, and use those libraries to create or modify privileged files.
Apply patches available from your operating system vendor; see below.
Our thanks to Red-Hat Security for identifying this problem.
This document was last modified by Tim Shimeall
|Date First Published:||2001-05-14|
|Date Last Updated:||2001-06-20 14:13 UTC|