Vulnerabilities > CVE-2010-3847 - Link Following vulnerability in GNU Glibc
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Symlink Attack An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating Input to File System Calls An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Exploit-Db
description glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit). CVE-2010-3847. Local exploit for Linux platform. Tags: Metasploit Framework (MSF), Local file exploits/linux/local/44024.rb id EDB-ID:44024 last seen 2018-02-12 modified 2018-02-12 platform linux port published 2018-02-12 reporter Exploit-DB source https://www.exploit-db.com/download/44024/ title glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit) type local description glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit). CVE-2010-3847,CVE-2010-3856. Local exploit for Linux platform. Tags: Metasploit Fram... file exploits/linux/local/44025.rb id EDB-ID:44025 last seen 2018-02-12 modified 2018-02-12 platform linux port published 2018-02-12 reporter Exploit-DB source https://www.exploit-db.com/download/44025/ title glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit) type local description GNU C library dynamic linker $ORIGIN expansion Vulnerability. CVE-2010-3847,CVE-2010-3847,CVE-2011-0536. Local exploit for linux platform id EDB-ID:15274 last seen 2016-02-01 modified 2010-10-18 published 2010-10-18 reporter Tavis Ormandy source https://www.exploit-db.com/download/15274/ title GNU C library dynamic linker - $ORIGIN expansion Vulnerability
Metasploit
description This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the `LD_AUDIT` environment variable when loading setuid executables which allows control over the `$ORIGIN` library search path resulting in execution of arbitrary shared objects. This module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This module has been tested successfully on: glibc 2.5 on CentOS 5.4 (x86_64); glibc 2.5 on CentOS 5.5 (x86_64); glibc 2.12 on Fedora 13 (i386); and glibc 2.5-49 on RHEL 5.5 (x86_64). Some versions of `ld.so`, such as the version shipped with Ubuntu 14, hit a failed assertion in `dl_open_worker` causing exploitation to fail. id MSF:EXPLOIT/LINUX/LOCAL/GLIBC_ORIGIN_EXPANSION_PRIV_ESC last seen 2020-04-11 modified 2019-04-18 published 2018-01-27 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/glibc_origin_expansion_priv_esc.rb title glibc '$ORIGIN' Expansion Privilege Escalation description This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation. id MSF:EXPLOIT/LINUX/LOCAL/GLIBC_LD_AUDIT_DSO_LOAD_PRIV_ESC last seen 2020-05-21 modified 2019-01-10 published 2018-01-28 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856
- https://seclists.org/fulldisclosure/2010/Oct/257
- https://seclists.org/fulldisclosure/2010/Oct/344
- https://www.ubuntu.com/usn/usn-1009-1
- https://security-tracker.debian.org/tracker/CVE-2010-3847
- https://security-tracker.debian.org/tracker/CVE-2010-3856
- https://access.redhat.com/security/cve/CVE-2010-3847
- https://access.redhat.com/security/cve/CVE-2010-3856
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.rb title glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Nessus
NASL family Misc. NASL id VMWARE_VMSA-2011-0001_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including arbitrary code execution vulnerabilities, in several third-party components and libraries : - glibc - glibc-common - nscd - openldap - sudo last seen 2020-06-01 modified 2020-06-02 plugin id 89673 published 2016-03-04 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89673 title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0001) (remote check) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0787.NASL description Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) Red Hat would like to thank Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50079 published 2010-10-21 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50079 title RHEL 5 : glibc (RHSA-2010:0787) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2010-295-01.NASL description New glibc packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50308 published 2010-10-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50308 title Slackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : glibc (SSA:2010-295-01) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0001.NASL description a. Service Console update for glibc The service console packages glibc, glibc-common, and nscd are each updated to version 2.5-34.4908.vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues addressed in this update. b. Service Console update for sudo The service console package sudo is updated to version 1.7.2p1-8.el5_5. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2956 to the issue addressed in this update. c. Service Console update for openldap The service console package openldap is updated to version 2.3.43-12.el5_5.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues addressed in this update. last seen 2020-06-01 modified 2020-06-02 plugin id 51422 published 2011-01-06 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51422 title VMSA-2011-0001 : VMware ESX third-party updates for Service Console packages glibc, sudo, and openldap NASL family Scientific Linux Local Security Checks NASL id SL_20110404_GLIBC_ON_SL5_X.NASL description The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 61008 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61008 title Scientific Linux Security Update : glibc on SL5.x,SL6.x i386/x86_64 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0413.NASL description From Red Hat Security Advisory 2011:0413 : Updated glibc packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 68245 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68245 title Oracle Linux 6 : glibc (ELSA-2011-0413) NASL family SuSE Local Security Checks NASL id SUSE_GLIBC-7201.NASL description Several security issues were fixed : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50377 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50377 title SuSE 10 Security Update : glibc (ZYPP Patch Number 7201) NASL family SuSE Local Security Checks NASL id SUSE_11_GLIBC-101025.NASL description This update of glibc fixes various bugs and security issues : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50912 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50912 title SuSE 11 / 11.1 Security Update : glibc (SAT Patch Numbers 3392 / 3393) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0787.NASL description Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) Red Hat would like to thank Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50795 published 2010-11-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50795 title CentOS 5 : glibc (CESA-2010:0787) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0872.NASL description Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Tavis Ormandy for reporting the CVE-2010-3847 issue, and Ben Hawkes and Tavis Ormandy for reporting the CVE-2010-3856 issue. This update also fixes the following bugs : * Previously, the generic implementation of the strstr() and memmem() functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected. (BZ#643341) * The last seen 2020-06-01 modified 2020-06-02 plugin id 50640 published 2010-11-18 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50640 title RHEL 6 : glibc (RHSA-2010:0872) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0412.NASL description From Red Hat Security Advisory 2011:0412 : Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 68244 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68244 title Oracle Linux 5 : glibc (ELSA-2011-0412) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0872.NASL description From Red Hat Security Advisory 2010:0872 : Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Tavis Ormandy for reporting the CVE-2010-3847 issue, and Ben Hawkes and Tavis Ormandy for reporting the CVE-2010-3856 issue. This update also fixes the following bugs : * Previously, the generic implementation of the strstr() and memmem() functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected. (BZ#643341) * The last seen 2020-06-01 modified 2020-06-02 plugin id 68141 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68141 title Oracle Linux 6 : glibc (ELSA-2010-0872) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1009-2.NASL description USN-1009-1 fixed vulnerabilities in the GNU C library. Colin Watson discovered that the fixes were incomplete and introduced flaws with setuid programs loading libraries that used dynamic string tokens in their RPATH. If the last seen 2020-06-01 modified 2020-06-02 plugin id 51501 published 2011-01-12 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51501 title Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : eglibc, glibc vulnerability (USN-1009-2) NASL family SuSE Local Security Checks NASL id SUSE_11_2_GLIBC-101027.NASL description This update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). last seen 2020-06-01 modified 2020-06-02 plugin id 50373 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50373 title openSUSE Security Update : glibc (openSUSE-SU-2010:0913-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0412.NASL description Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 53291 published 2011-04-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53291 title RHEL 5 : glibc (RHSA-2011:0412) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0787.NASL description From Red Hat Security Advisory 2010:0787 : Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) Red Hat would like to thank Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 68123 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68123 title Oracle Linux 5 : glibc (ELSA-2010-0787) NASL family Fedora Local Security Checks NASL id FEDORA_2010-16308.NASL description - Implement accurate fma (BZ#3268, #43358) - Fix alignment of AVX save area on x86-64 (BZ#12113) - Fix regex memory leaks (BZ#12078) - Improve output of psiginfo (BZ#12107, BZ#12108) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 50036 published 2010-10-20 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50036 title Fedora 14 : glibc-2.12.90-17 (2010-16308) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-0412.NASL description Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc addmntent() function did not sanitize its input properly. A local attacker could possibly use this flaw to inject malformed lines into /etc/mtab via certain setuid mount helpers, if the attacker were allowed to mount to an arbitrary directory under their control. (CVE-2010-0296) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 53430 published 2011-04-15 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53430 title CentOS 5 : glibc (CESA-2011:0412) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-207.NASL description A vulnerability in the GNU C library (glibc) was discovered which could escalate the privilegies for local users (CVE-2010-3847). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50076 published 2010-10-21 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50076 title Mandriva Linux Security Advisory : glibc (MDVSA-2010:207) NASL family Fedora Local Security Checks NASL id FEDORA_2010-16594.NASL description - Fix strstr and memmem algorithm (BZ#12092, #641124) - Fix handling of tail bytes of buffer in SSE2/SSSE3 x86-64 version strncmp (BZ#12077) - Never expand $ORIGIN in privileged programs (#643306, CVE-2010-3847) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50312 published 2010-10-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50312 title Fedora 13 : glibc-2.12.1-3 (2010-16594) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2122.NASL description Ben Hawkes and Tavis Ormandy discovered that the dynamic loader in GNU libc allows local users to gain root privileges using a crafted LD_AUDIT environment variable. last seen 2020-06-01 modified 2020-06-02 plugin id 50309 published 2010-10-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50309 title Debian DSA-2122-1 : glibc - missing input sanitization NASL family Scientific Linux Local Security Checks NASL id SL_20101020_GLIBC_ON_SL5_X.NASL description It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) last seen 2020-06-01 modified 2020-06-02 plugin id 60874 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60874 title Scientific Linux Security Update : glibc on SL5.x i386/x86_64 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201312-01.NASL description The remote host is affected by the vulnerability described in GLSA-201312-01 (GNU C Library: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in GNU C Library. Please review the CVE identifiers referenced below for details. Impact : A local attacker could trigger vulnerabilities in dynamic library loader, making it possible to load attacker-controlled shared objects during execution of setuid/setgid programs to escalate privileges. A context-dependent attacker could trigger various vulnerabilities in GNU C Library, including a buffer overflow, leading to execution of arbitrary code or a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 71167 published 2013-12-03 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71167 title GLSA-201312-01 : GNU C Library: Multiple vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1009-1.NASL description Tavis Ormandy discovered multiple flaws in the GNU C Library last seen 2020-06-01 modified 2020-06-02 plugin id 50318 published 2010-10-24 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50318 title Ubuntu 8.04 LTS / 9.04 / 9.10 / 10.04 LTS / 10.10 : glibc, eglibc vulnerabilities (USN-1009-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0413.NASL description Updated glibc packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 53292 published 2011-04-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53292 title RHEL 6 : glibc (RHSA-2011:0413) NASL family SuSE Local Security Checks NASL id SUSE_11_1_GLIBC-101026.NASL description This update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). CVE-2010-0015: Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50367 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50367 title openSUSE Security Update : glibc (openSUSE-SU-2010:0914-1) NASL family Fedora Local Security Checks NASL id FEDORA_2010-16641.NASL description - Correct x86 CPU family and model check (BZ#11640, #596554) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 50421 published 2010-11-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50421 title Fedora 12 : glibc-2.11.2-3 (2010-16641) NASL family Scientific Linux Local Security Checks NASL id SL_20101110_GLIBC_ON_SL6_X.NASL description It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) This update also fixes the following bugs : - Previously, the generic implementation of the strstr() and memmem() functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected. (BZ#643341) - The last seen 2020-06-01 modified 2020-06-02 plugin id 60891 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60891 title Scientific Linux Security Update : glibc on SL6.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_11_3_GLIBC-101027.NASL description This update of glibc fixes two bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 75518 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75518 title openSUSE Security Update : glibc (openSUSE-SU-2010:0912-1) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0012_GLIBC.NASL description The remote NewStart CGSL host, running version MAIN 5.04, has glibc packages installed that are affected by multiple vulnerabilities: - elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory. (CVE-2010-3847) - ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so. (CVE-2010-3856) - Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow. (CVE-2012-4412) - Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function. (CVE-2012-4424) - A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially- crafted input that, when processed, would cause the application to crash. (CVE-2013-0242) - It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker- controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash. (CVE-2013-1914, CVE-2013-4458) - pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system. (CVE-2013-2207) - An out-of-bounds write flaw was found in the way the glibc last seen 2020-06-01 modified 2020-06-02 plugin id 127161 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127161 title NewStart CGSL MAIN 5.04 : glibc Multiple Vulnerabilities (NS-SA-2019-0012) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-178.NASL description Multiple vulnerabilities was discovered and fixed in glibc : Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has in (a) RPATH or (b) RUNPATH. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847 (CVE-2011-0536). The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a stack extension attack, a related issue to CVE-2010-2898, as originally reported for use of this library by Google Chrome (CVE-2011-1071). The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296 (CVE-2011-1089). locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function (CVE-2011-1095). Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071 (CVE-2011-1659). crypt_blowfish before 1.1, as used in glibc on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash (CVE-2011-2483). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56953 published 2011-11-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56953 title Mandriva Linux Security Advisory : glibc (MDVSA-2011:178) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201011-01.NASL description The remote host is affected by the vulnerability described in GLSA-201011-01 (GNU C library: Multiple vulnerabilities) Multiple vulnerabilities were found in glibc, amongst others the widely-known recent LD_AUDIT and $ORIGIN issues. For further information please consult the CVE entries referenced below. Impact : A local attacker could execute arbitrary code as root, cause a Denial of Service, or gain privileges. Additionally, a user-assisted remote attacker could cause the execution of arbitrary code, and a context-dependent attacker could cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 50605 published 2010-11-16 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50605 title GLSA-201011-01 : GNU C library: Multiple vulnerabilities NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0023.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Switch to use malloc when the input line is too long [Orabug 19951108] - Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin) - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532). - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, - Fix patch for integer overflows in *valloc and memalign. (CVE-2013-4332, #1011805). - Fix return code when starting an already started nscd daemon (#979413). - Fix getnameinfo for many PTR record queries (#1020486). - Return EINVAL error for negative sizees to getgroups (#995207). - Fix integer overflows in *valloc and memalign. (CVE-2013-4332, #1011805). - Add support for newer L3 caches on x86-64 and correctly count the number of hardware threads sharing a cacheline (#1003420). - Revert incomplete fix for bug #758193. - Fix _nl_find_msg malloc failure case, and callers (#957089). - Test on init_fct, not result->__init_fct, after demangling (#816647). - Don last seen 2020-06-01 modified 2020-06-02 plugin id 81118 published 2015-02-02 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81118 title OracleVM 3.2 : glibc (OVMSA-2015-0023) (GHOST)
Packetstorm
data source https://packetstormsecurity.com/files/download/146338/glibc_origin_expansion_priv_esc.rb.txt id PACKETSTORM:146338 last seen 2018-02-15 published 2018-02-10 reporter Tavis Ormandy source https://packetstormsecurity.com/files/146338/glibc-ORIGIN-Expansion-Privilege-Escalation.html title glibc '$ORIGIN' Expansion Privilege Escalation data source https://packetstormsecurity.com/files/download/94955/gnuc-origin.txt id PACKETSTORM:94955 last seen 2016-12-05 published 2010-10-19 reporter Tavis Ormandy source https://packetstormsecurity.com/files/94955/GNU-C-Library-Dynamic-Linker-ORIGIN-Expansion-Vulnerability.html title GNU C Library Dynamic Linker $ORIGIN Expansion Vulnerability data source https://packetstormsecurity.com/files/download/146975/glibc_ld_audit_dso_libmemusage.rb.txt id PACKETSTORM:146975 last seen 2018-03-31 published 2018-03-30 reporter Marco Ivaldi source https://packetstormsecurity.com/files/146975/glibc-LD_AUDIT-libmemusage.so-RHEL-Based-Arbitrary-DSO-Load-Privilege-Escalation.html title glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation data source https://packetstormsecurity.com/files/download/95098/gnuc-dlopen.txt id PACKETSTORM:95098 last seen 2016-12-05 published 2010-10-22 reporter Tavis Ormandy source https://packetstormsecurity.com/files/95098/GNU-C-Library-Dynamic-Linker-Arbitrary-DSO-dlopen.html title GNU C Library Dynamic Linker Arbitrary DSO dlopen data source https://packetstormsecurity.com/files/download/146337/glibc_ld_audit_dso_load_priv_esc.rb.txt id PACKETSTORM:146337 last seen 2018-02-15 published 2018-02-10 reporter Marco Ivaldi source https://packetstormsecurity.com/files/146337/glibc-LD_AUDIT-Arbitrary-DSO-Load-Privilege-Escalation.html title glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:70046 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-70046 title GNU C library dynamic linker LD_AUDIT arbitrary DSO load Vulnerability bulletinFamily exploit description No description provided by source. id SSV:70027 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-70027 title GNU C library dynamic linker $ORIGIN expansion Vulnerability
References
- http://www.vmware.com/security/advisories/VMSA-2011-0001.html
- http://seclists.org/fulldisclosure/2010/Oct/292
- http://seclists.org/fulldisclosure/2010/Oct/257
- http://seclists.org/fulldisclosure/2010/Oct/294
- https://bugzilla.redhat.com/show_bug.cgi?id=643306
- https://rhn.redhat.com/errata/RHSA-2010-0787.html
- http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
- http://www.vupen.com/english/advisories/2011/0025
- http://www.kb.cert.org/vuls/id/537223
- http://www.debian.org/security/2010/dsa-2122
- http://www.ubuntu.com/usn/USN-1009-1
- http://www.redhat.com/support/errata/RHSA-2010-0872.html
- http://secunia.com/advisories/42787
- http://support.avaya.com/css/P8/documents/100120941
- http://security.gentoo.org/glsa/glsa-201011-01.xml
- http://www.securityfocus.com/bid/44154
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:207
- https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html
- https://www.exploit-db.com/exploits/44025/
- https://www.exploit-db.com/exploits/44024/
- http://www.securityfocus.com/archive/1/515545/100/0/threaded