Bug 1039357 (CVE-2017-1000366)

Summary: VUL-0: CVE-2017-1000366: glibc: Qualys new root/setuid privilege escalation method 05-2017
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Andreas Schwab <schwab>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bhavel, emu, heiko.rommel, hvdheuvel, jsegitz, matz, meissner, mlimardo, mpluskal, mrueckert, roger.whittaker, tchvatal, vcizek, vpelcak
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2017-1000366:6.9:(AV:L/AC:M/Au:N/C:C/I:C/A:C) CVSSv3:SUSE:CVE-2017-1000366:8.8:(AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) maint:running:63642:important CVSSv2:RedHat:CVE-2017-1000366:6.2:(AV:L/AC:H/Au:N/C:C/I:C/A:C) CVSSv3:RedHat:CVE-2017-1000366:7.4:(AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) maint:released:oes2015:63647 CVSSv3:SUSE:CVE-2017-1000366:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) maint:released:sle10-sp3:63657 CVSSv2:NVD:CVE-2017-1000366:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv3:RedHat:CVE-2017-1000366:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2017-1000408:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1037551    
Deadline: 2017-06-07   
Attachments: 0001-rtld-Completely-ignore-LD_LIBRARY_PATH-for-AT_SECURE.patch
0002-rtld-Reject-overly-long-LD_PRELOAD-path-elements.patch
0003-rtld-Reject-overly-long-LD_AUDIT-path-elements.patch

Comment 4 Michael Matz 2017-05-17 15:08:47 UTC 
As already discussed a bit with Marcus: the stack guard page size the kernel
uses should be large enough to cater for the cases in which glibc uses alloca.
Most alloca uses in glibc are meanwhile guarded by size checks (in which case
they are bound by 64KB), and some others, as the initial comment explains,
are implicitly guarded by other sizes (like MAX_ARG_STRLEN, then 128KB).

All allocas in glibc should be guarded by explicit or implicit length checks,
those that aren't should be made so (I don't think there are any left that aren't?).
The kernel guard page size should be increased to cater for this, i.e. be made
128KB.
Comment 5 Marcus Meissner 2017-05-18 08:53:36 UTC 
See comment #c1 on the bigger ones identified.

To be very frank, we have been patching out "too large allocas" from glibc for several years now without knowing the actual impact and I fear there are likely more.

This has to be fixed once and for all.

So I see that building glibc and other libraries/programs with -fstack-check is the only solution to kill this bugclass.
Comment 6 Andreas Schwab 2017-05-18 09:01:42 UTC 
This is already done in factory.
Comment 7 Marcus Meissner 2017-05-18 09:38:44 UTC 
I do not see it in factory ... at least glibc is not build with -fstack-check according to the buildlog?
Comment 8 Andreas Schwab 2017-05-18 09:57:18 UTC 
Sorry, mixed up with -fstack-protector.
Comment 10 Marcus Meissner 2017-05-22 18:52:58 UTC 
CVE-2017-1000366 glibc stack/heap overflow (multiple vectors, multiple                                                                                                                       
hardening to fix, not ideal but if needed we can SPLIT this more)
Comment 11 Marcus Meissner 2017-05-23 12:00:13 UTC 
Embargo was changed to:

CRD: 2017-06-19


That said, we need to consider an earlier leak of the information and have stuff prepared earlier.
Comment 13 Marcus Meissner 2017-05-29 07:12:32 UTC 
Created attachment 726741 [details]
0001-rtld-Completely-ignore-LD_LIBRARY_PATH-for-AT_SECURE.patch

0001-rtld-Completely-ignore-LD_LIBRARY_PATH-for-AT_SECURE.patch

from Florian Weimer
Comment 14 Marcus Meissner 2017-05-29 07:12:54 UTC 
Created attachment 726742 [details]
0002-rtld-Reject-overly-long-LD_PRELOAD-path-elements.patch

0002-rtld-Reject-overly-long-LD_PRELOAD-path-elements.patch

from florian weimer
Comment 15 Marcus Meissner 2017-05-29 07:13:21 UTC 
Created attachment 726743 [details]
0003-rtld-Reject-overly-long-LD_AUDIT-path-elements.patch

0003-rtld-Reject-overly-long-LD_AUDIT-path-elements.patch

from florian weimer
Comment 17 Swamp Workflow Management 2017-05-30 05:29:45 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-06-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63642
Comment 19 Swamp Workflow Management 2017-05-31 14:26:42 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-06-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63643
Comment 22 Marcus Meissner 2017-06-19 15:21:02 UTC 
The issue is now public:

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Comment 23 Swamp Workflow Management 2017-06-19 19:10:34 UTC 
SUSE-SU-2017:1611-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1038690,1039357,987216
CVE References: CVE-2017-1000366
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    glibc-2.19-22.21.1
SUSE Linux Enterprise Server 12-LTSS (src):    glibc-2.19-22.21.1
Comment 24 Swamp Workflow Management 2017-06-19 19:12:52 UTC 
SUSE-SU-2017:1614-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1038690,1039357,986858
CVE References: CVE-2017-1000366
Sources used:
SUSE OpenStack Cloud 6 (src):    glibc-2.19-40.6.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    glibc-2.19-40.6.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    glibc-2.19-40.6.1
Comment 25 Swamp Workflow Management 2017-06-19 19:16:23 UTC 
SUSE-SU-2017:1619-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1039357,1040043
CVE References: CVE-2017-1000366
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    glibc-2.22-61.3
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    glibc-2.22-61.3
SUSE Linux Enterprise Server 12-SP2 (src):    glibc-2.22-61.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    glibc-2.22-61.3
OpenStack Cloud Magnum Orchestration 7 (src):    glibc-2.22-61.3
Comment 26 Swamp Workflow Management 2017-06-20 01:09:34 UTC 
SUSE-SU-2017:1621-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1039357
CVE References: CVE-2017-1000366
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Server 11-SP4 (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    glibc-2.11.3-17.109.1
Comment 27 Swamp Workflow Management 2017-06-21 01:09:14 UTC 
openSUSE-SU-2017:1629-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1039357,1040043
CVE References: CVE-2017-1000366
Sources used:
openSUSE Leap 42.2 (src):    glibc-2.22-4.9.1, glibc-testsuite-2.22-4.9.2, glibc-utils-2.22-4.9.1
Comment 28 Marcus Meissner 2017-07-10 07:47:24 UTC 
all released