Bugzilla – Bug 1008255
VUL-0: CVE-2011-1658 glibc: ld.so insecure handling of privileged programs' RPATHs with $ORIGIN
Last modified: 2016-11-03 09:31:19 UTC
via rh bugzilla ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the $ORIGIN dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536. NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program. References: https://bugzilla.redhat.com/show_bug.cgi?id=694873 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1658 http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-1658.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1658 http://sourceware.org/bugzilla/show_bug.cgi?id=12393
our setuid/setgid binaries at least do not contain $ORIGIN constructs, so our default installation is not affected.
Fixed by ld-rpath-setuid.diff. *** This bug has been marked as a duplicate of bug 687510 ***