Bugzilla – Bug 677787
VUL-1: ldd executes loader specified in binary
Last modified: 2024-04-16 04:07:16 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. Old issue came up again: http://reverse.lostrealm.com/protect/ldd.html http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ Owl, Alt Linux and Debian patch their glibc to invoke the loader explictly to provide at least minimal defense: http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/glibc/glibc-2.3.6-owl-alt-ldd.diff http://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=788577027d2950e9508a434475e04c3af864d169 Since that measurement is rather simple I'd suggest to also do it.
Yes, it makes a lot of sense to fix this for us as well. It's not really high priority at all since this has been known for ages, but taking such a patch for our next security update is good idea.
The SWAMPID for this issue is 39331. This issue was rated as moderate. Please submit fixed packages until 2011-03-28. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
p5->p3 mass change
*** Bug 684385 has been marked as a duplicate of this bug. ***
submitted everywhere
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: glibc, glibc-32bit, glibc-64bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-64bit, glibc-dceext-devel, glibc-dceext-x86, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-devel-64bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-64bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-64bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: glibc, glibc-devel, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-profile, nscd, timezone Products: Novell-Linux-POS 9 (i386) Open-Enterprise-Server 9 (i386) SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
This is an autogenerated message for OBS integration: This bug (677787) was mentioned in https://build.opensuse.org/request/show/227477 Factory / glibc
*** Bug 1222763 has been marked as a duplicate of this bug. ***