Bugzilla – Bug 950944
VUL-1: CVE-2015-8777: glibc: pointer guarding weakness
Last modified: 2020-06-14 05:10:38 UTC
Created attachment 652073 [details] exploit PoC code http://seclists.org/oss-sec/2015/q3/504 A weakness in the dynamic loader have been found, Glibc prior to 2.22.90 are affected. The issue is that the LD_POINTER_GUARD in the environment is not sanitized allowing local attackers easily to bypass the pointer guarding protection on set-user-ID and set-group-ID programs. Details and PoC at: http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html Quoting further: Pointer guarding is a security mechanism whereby some pointers to code stored in writable program memory (return addresses saved by setjmp(3) or function pointers used by various glibc internals) are mangled semi-randomly to make it more difficult for an attacker to hijack the pointers for use in the event of a buffer overrun or stack-smashing attack. Impact: This security issue allows a local user to disable the pointer guard security mechanism, which makes the system weaker. Note that disabling the pointer mangling protection can not be exploited on its own, but an attack vector to modify the protected (mangled) pointer is necessary. Similar CVE-2013-4788 but now affect to dynamic linked applications. Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=18928 Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 > Always enable pointer guard [BZ #18928] > > Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode > has security implications. This commit enables pointer guard > unconditionally, and the environment variable is now ignored. > > [BZ #18928] > * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove > _dl_pointer_guard member. > * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard > initializer. > (security_init): Always set up pointer guard. > (process_envvars): Do not process LD_POINTER_GUARD. Fixed upstream in 2.23.
My understanding of this is that it is a local exploit which requires further vulnerabilities in setuid / setguid executables to escalate privileges.
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (950944) was mentioned in https://build.opensuse.org/request/show/345165 Factory / glibc
This is an autogenerated message for OBS integration: This bug (950944) was mentioned in https://build.opensuse.org/request/show/348864 13.2 / glibc
openSUSE-SU-2015:2355-1: An update that contains security fixes can now be installed. Category: security (low) Bug References: 936251,950944,955647 CVE References: Sources used: openSUSE 13.2 (src): glibc-2.19-16.18.1, glibc-testsuite-2.19-16.18.2, glibc-utils-2.19-16.18.1
*** Bug 962735 has been marked as a duplicate of this bug. ***
SUSE-SU-2016:0470-1: An update that solves 10 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 830257,847227,863499,892065,918187,920338,927080,945779,950944,961721,962736,962737,962738,962739 CVE References: CVE-2013-2207,CVE-2013-4458,CVE-2014-8121,CVE-2014-9761,CVE-2015-1781,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): glibc-2.11.3-17.45.66.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): glibc-2.11.3-17.45.66.1
SUSE-SU-2016:0471-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 950944,955647,956716,958315,961721,962736,962737,962738,962739 CVE References: CVE-2014-9761,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): glibc-2.19-35.1 SUSE Linux Enterprise Server 12-SP1 (src): glibc-2.19-35.1 SUSE Linux Enterprise Desktop 12-SP1 (src): glibc-2.19-35.1
SUSE-SU-2016:0472-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 930721,942317,950944,956988,961721,962736,962737,962738,962739 CVE References: CVE-2014-9761,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): glibc-2.11.3-17.95.2 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): glibc-2.11.3-17.95.2 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): glibc-2.11.3-17.95.2 SUSE Linux Enterprise Server 11-SP4 (src): glibc-2.11.3-17.95.2 SUSE Linux Enterprise Server 11-SP3 (src): glibc-2.11.3-17.95.2 SUSE Linux Enterprise Desktop 11-SP4 (src): glibc-2.11.3-17.95.2 SUSE Linux Enterprise Desktop 11-SP3 (src): glibc-2.11.3-17.95.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): glibc-2.11.3-17.95.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): glibc-2.11.3-17.95.2
SUSE-SU-2016:0473-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 950944,955647,956716,958315,961721,962736,962737,962738,962739 CVE References: CVE-2014-9761,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): glibc-2.19-22.13.1 SUSE Linux Enterprise Server 12 (src): glibc-2.19-22.13.1 SUSE Linux Enterprise Desktop 12 (src): glibc-2.19-22.13.1
openSUSE-SU-2016:0490-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 950944,955647,956716,958315,961721,962736,962737,962738,962739 CVE References: CVE-2014-9761,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779 Sources used: openSUSE Leap 42.1 (src): glibc-2.19-19.1, glibc-testsuite-2.19-19.2, glibc-utils-2.19-19.1
All updates released.