National Cyber Awareness System

Vulnerability Summary for CVE-2010-3847

Overview

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Vulnerability Note: VU#537223

Name: VU#537223

Hyperlink:http://www.kb.cert.org/vuls/id/537223

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=643306

Type: Patch Information

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=643306

External Source: MLIST

Name: [libc-hacker] 20101018 [PATCH] Never expand $ORIGIN in privileged programs

Type: Patch Information

Hyperlink:http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html

External Source: REDHAT

Name: RHSA-2010:0787

Hyperlink:https://rhn.redhat.com/errata/RHSA-2010-0787.html

External Source: VUPEN

Name: ADV-2011-0025

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2011/0025

External Source: CONFIRM

Name: http://www.vmware.com/security/advisories/VMSA-2011-0001.html

Hyperlink:http://www.vmware.com/security/advisories/VMSA-2011-0001.html

External Source: UBUNTU

Name: USN-1009-1

Hyperlink:http://www.ubuntu.com/usn/USN-1009-1

External Source: BID

Name: 44154

Hyperlink:http://www.securityfocus.com/bid/44154

External Source: BUGTRAQ

Name: 20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/515545/100/0/threaded

External Source: REDHAT

Name: RHSA-2010:0872

Hyperlink:http://www.redhat.com/support/errata/RHSA-2010-0872.html

External Source: MANDRIVA

Name: MDVSA-2010:207

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2010:207

External Source: DEBIAN

Name: DSA-2122

Hyperlink:http://www.debian.org/security/2010/dsa-2122

External Source: CONFIRM

Name: http://support.avaya.com/css/P8/documents/100120941

Hyperlink:http://support.avaya.com/css/P8/documents/100120941

External Source: GENTOO

Name: GLSA-201011-01

Hyperlink:http://security.gentoo.org/glsa/glsa-201011-01.xml

External Source: SECUNIA

Name: 42787

Type: Advisory

Hyperlink:http://secunia.com/advisories/42787

External Source: FULLDISC

Name: 20101020 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path

Hyperlink:http://seclists.org/fulldisclosure/2010/Oct/294

External Source: FULLDISC

Name: 20101019 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path

Hyperlink:http://seclists.org/fulldisclosure/2010/Oct/292

External Source: FULLDISC

Name: 20101018 The GNU C library dynamic linker expands $ORIGIN in setuid library search path

Hyperlink:http://seclists.org/fulldisclosure/2010/Oct/257