Bug 1008255 (CVE-2011-1658)

Summary: VUL-0: CVE-2011-1658 glibc: ld.so insecure handling of privileged programs' RPATHs with $ORIGIN
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Andreas Schwab <schwab>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/50827/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2016-11-03 08:25:41 UTC 
via rh bugzilla

ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the
$ORIGIN dynamic string token when RPATH is composed entirely of this token,
which might allow local users to gain privileges by creating a hard link in an
arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value,
and then executing the program with a crafted value for the LD_PRELOAD
environment variable, a different vulnerability than CVE-2010-3847 and
CVE-2011-0536.  NOTE: it is not expected that any standard operating-system
distribution would ship an applicable setuid or setgid program.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=694873
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1658
http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-1658.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1658
http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Comment 1 Marcus Meissner 2016-11-03 08:26:16 UTC 
our setuid/setgid binaries at least do not contain $ORIGIN constructs, so our default installation is not affected.
Comment 3 Andreas Schwab 2016-11-03 09:31:19 UTC 
Fixed by ld-rpath-setuid.diff.

*** This bug has been marked as a duplicate of bug 687510 ***