1039357 – (CVE-2017-1000366) VUL-0: CVE-2017-1000366: glibc: Qualys new root/setuid privilege escalation method 05-2017

Bug 1039357 (CVE-2017-1000366) - VUL-0: CVE-2017-1000366: glibc: Qualys new root/setuid privilege escalation method 05-2017

Summary: VUL-0: CVE-2017-1000366: glibc: Qualys new root/setuid privilege escalation m...

Status:	RESOLVED FIXED

Alias:	CVE-2017-1000366

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2017-06-07
Assignee:	Andreas Schwab
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2017-1000366:6.9:(AV:...
Keywords:

Depends on:
Blocks:	1037551
	Show dependency tree / graph

Clone This Bug

Reported:	2017-05-16 15:45 UTC by Marcus Meissner
Modified:	2018-03-20 15:46 UTC (History)
CC List:	14 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
0001-rtld-Completely-ignore-LD_LIBRARY_PATH-for-AT_SECURE.patch (1.03 KB, patch) 2017-05-29 07:12 UTC, Marcus Meissner	Details \| Diff
0002-rtld-Reject-overly-long-LD_PRELOAD-path-elements.patch (3.63 KB, patch) 2017-05-29 07:12 UTC, Marcus Meissner	Details \| Diff
0003-rtld-Reject-overly-long-LD_AUDIT-path-elements.patch (6.51 KB, patch) 2017-05-29 07:13 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 4 Michael Matz 2017-05-17 15:08:47 UTC

As already discussed a bit with Marcus: the stack guard page size the kernel
uses should be large enough to cater for the cases in which glibc uses alloca.
Most alloca uses in glibc are meanwhile guarded by size checks (in which case
they are bound by 64KB), and some others, as the initial comment explains,
are implicitly guarded by other sizes (like MAX_ARG_STRLEN, then 128KB).

All allocas in glibc should be guarded by explicit or implicit length checks,
those that aren't should be made so (I don't think there are any left that aren't?).
The kernel guard page size should be increased to cater for this, i.e. be made
128KB.

Comment 5 Marcus Meissner 2017-05-18 08:53:36 UTC

See comment #c1 on the bigger ones identified.

To be very frank, we have been patching out "too large allocas" from glibc for several years now without knowing the actual impact and I fear there are likely more.

This has to be fixed once and for all.

So I see that building glibc and other libraries/programs with -fstack-check is the only solution to kill this bugclass.

Comment 6 Andreas Schwab 2017-05-18 09:01:42 UTC

This is already done in factory.

Comment 7 Marcus Meissner 2017-05-18 09:38:44 UTC

I do not see it in factory ... at least glibc is not build with -fstack-check according to the buildlog?

Comment 8 Andreas Schwab 2017-05-18 09:57:18 UTC

Sorry, mixed up with -fstack-protector.

Comment 10 Marcus Meissner 2017-05-22 18:52:58 UTC

CVE-2017-1000366 glibc stack/heap overflow (multiple vectors, multiple                                                                                                                       
hardening to fix, not ideal but if needed we can SPLIT this more)

Comment 11 Marcus Meissner 2017-05-23 12:00:13 UTC

Embargo was changed to:

CRD: 2017-06-19


That said, we need to consider an earlier leak of the information and have stuff prepared earlier.

Comment 13 Marcus Meissner 2017-05-29 07:12:32 UTC

Created attachment 726741 [details]
0001-rtld-Completely-ignore-LD_LIBRARY_PATH-for-AT_SECURE.patch

0001-rtld-Completely-ignore-LD_LIBRARY_PATH-for-AT_SECURE.patch

from Florian Weimer

Comment 14 Marcus Meissner 2017-05-29 07:12:54 UTC

Created attachment 726742 [details]
0002-rtld-Reject-overly-long-LD_PRELOAD-path-elements.patch

0002-rtld-Reject-overly-long-LD_PRELOAD-path-elements.patch

from florian weimer

Comment 15 Marcus Meissner 2017-05-29 07:13:21 UTC

Created attachment 726743 [details]
0003-rtld-Reject-overly-long-LD_AUDIT-path-elements.patch

0003-rtld-Reject-overly-long-LD_AUDIT-path-elements.patch

from florian weimer

Comment 17 Swamp Workflow Management 2017-05-30 05:29:45 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-06-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63642

Comment 19 Swamp Workflow Management 2017-05-31 14:26:42 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-06-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63643

Comment 22 Marcus Meissner 2017-06-19 15:21:02 UTC

The issue is now public:

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

Comment 23 Swamp Workflow Management 2017-06-19 19:10:34 UTC

SUSE-SU-2017:1611-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1038690,1039357,987216
CVE References: CVE-2017-1000366
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    glibc-2.19-22.21.1
SUSE Linux Enterprise Server 12-LTSS (src):    glibc-2.19-22.21.1

Comment 24 Swamp Workflow Management 2017-06-19 19:12:52 UTC

SUSE-SU-2017:1614-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1038690,1039357,986858
CVE References: CVE-2017-1000366
Sources used:
SUSE OpenStack Cloud 6 (src):    glibc-2.19-40.6.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    glibc-2.19-40.6.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    glibc-2.19-40.6.1

Comment 25 Swamp Workflow Management 2017-06-19 19:16:23 UTC

SUSE-SU-2017:1619-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1039357,1040043
CVE References: CVE-2017-1000366
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    glibc-2.22-61.3
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    glibc-2.22-61.3
SUSE Linux Enterprise Server 12-SP2 (src):    glibc-2.22-61.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    glibc-2.22-61.3
OpenStack Cloud Magnum Orchestration 7 (src):    glibc-2.22-61.3

Comment 26 Swamp Workflow Management 2017-06-20 01:09:34 UTC

SUSE-SU-2017:1621-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1039357
CVE References: CVE-2017-1000366
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Server 11-SP4 (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    glibc-2.11.3-17.109.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    glibc-2.11.3-17.109.1

Comment 27 Swamp Workflow Management 2017-06-21 01:09:14 UTC

openSUSE-SU-2017:1629-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1039357,1040043
CVE References: CVE-2017-1000366
Sources used:
openSUSE Leap 42.2 (src):    glibc-2.22-4.9.1, glibc-testsuite-2.22-4.9.2, glibc-utils-2.22-4.9.1

Comment 28 Marcus Meissner 2017-07-10 07:47:24 UTC

all released