Security News > 2023 > October > Make-me-root 'Looney Tunables' security hole on Linux needs your attention

The flaw, dubbed Looney Tunables, arises from the GNU C Library's dynamic loader mishandling of the GLIBC TUNABLES environmental variable.

Because GNU C Library, commonly known as glibc, is found in most Linux systems, this is something of an issue.

Essentially, setting GLIBC TUNABLES to a carefully crafted value can cause a buffer overflow, which could lead to arbitrary code execution within the loader, allowing it to be hijacked.

Most other distributions are said to be affected, though Alpine Linux is not because it uses musl libc rather than glibc. "The presence of a buffer overflow vulnerability in the dynamic loader's handling of the GLIBC TUNABLES environment variable poses significant risks to numerous Linux distributions," said Saeed Abbasi, product manager with Qualys' Threat Research Unit, in the report.

According to Qualys, the GLIBC TUNABLES environment variable provides a way to alter a library's behavior at runtime, without the need for library or application recompilation.

The code for sanitizing GLIBC TUNABLES fails in certain circumstances.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/04/linux_looney_tunables_bug/