__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat glibc Vulnerability [Red Hat Linux RHSA-2001:160-09] December 19, 2001 21:00 GMT Number M-029 ______________________________________________________________________________ PROBLEM: An overflowable buffer exists in earlier versions of glibc glob(3) implementation. PLATFORM: Red Hat Linux 6.2 - alpha, i386, i686, sparc, sparcv9 Red Hat Linux 7.0 - alpha, alphaev6, i386, i686 Red Hat Linux 7.1 - alpha, alphaev6, i386, i686, ia64 Red Hat Linux 7.2 - i386, i686 DAMAGE: It may be possible to exploit programs that pass user modifiable input to the glibc glob function. SOLUTION: Apply available patches. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Remote users could get root. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/xxx.shtml ORIGINAL BULLETIN: http://www.redhat.com/support/errata/RHSA-2001-160.html ______________________________________________________________________________ [***** Start Red Hat Linux RHSA-2001:160-09 *****] Red Hat Linux Errata Advisory Synopsis Updated glibc packages are available Advisory ID RHSA-2001:160-09 Issue Date 2001-11-28 Updated On 2001-12-14 Product Red Hat Linux Keywords glibc glob buffer overrun DT_RUNPATH LD_LIBRARY_PATH strndup Cross References Obsoletes 1. Topic: Updated glibc packages are available to fix an overflowable buffer and for 7.x to fix a couple of non-security related bugs. 2. Problem description: An overflowable buffer exists in earlier versions of glibc glob(3) implementation. It may be possible to exploit programs that pass user modifiable input to the glibc glob function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0886 to this issue. This errata also fixes a couple of non-security related bugs in glibc packages for Red Hat Linux 7.x. There was a bug in the dynamic linker which caused DT_RUNPATH dynamic tags (e.g. created by GNU ld with --enable-new-dtags -rpath DIR options) to behave the same way as mere DT_RPATH tag, ie. search paths in it couldn't be overridden by LD_LIBRARY_PATH environment variable; this is fixed in the updated packages, as well as a strndup bug when strndup was used with string literal argument and a typo in header. It is recommended that all users upgrade to provided packages. We'd like to thank Flavio Veloso for discovering this buffer overflow problem. 3. Bug IDs fixed: (see bugzilla for more information) 55865 - LD_LIBRARY_PATH / rpath interaction 57268 - syntax error in inttypes.h with 2.2.4-19 update 4. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, i686, sparc, sparcv9 Red Hat Linux 7.0 - alpha, alphaev6, i386, i686 Red Hat Linux 7.1 - alpha, alphaev6, i386, i686, ia64 Red Hat Linux 7.2 - i386, i686 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/glibc-2.1.3-23.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/glibc-2.1.3-23.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/glibc-devel-2.1.3-23.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/glibc-profile-2.1.3-23.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/nscd-2.1.3-23.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/glibc-2.1.3-23.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/glibc-devel-2.1.3-23.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/glibc-profile-2.1.3-23.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/nscd-2.1.3-23.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/glibc-2.1.3-23.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/glibc-devel-2.1.3-23.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/glibc-profile-2.1.3-23.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/nscd-2.1.3-23.sparc.rpm sparcv9: ftp://updates.redhat.com/6.2/en/os/sparcv9/glibc-2.1.3-23.sparcv9.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/glibc-2.2.4-18.7.0.3.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/glibc-2.2.4-18.7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/glibc-devel-2.2.4-18.7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/glibc-profile-2.2.4-18.7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/glibc-common-2.2.4-18.7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/nscd-2.2.4-18.7.0.3.alpha.rpm alphaev6: ftp://updates.redhat.com/7.0/en/os/alphaev6/glibc-2.2.4-18.7.0.3.alphaev6.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/glibc-2.2.4-18.7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/glibc-devel-2.2.4-18.7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/glibc-profile-2.2.4-18.7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/glibc-common-2.2.4-18.7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/nscd-2.2.4-18.7.0.3.i386.rpm i686: ftp://updates.redhat.com/7.0/en/os/i686/glibc-2.2.4-18.7.0.3.i686.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/glibc-2.2.4-19.3.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/glibc-2.2.4-19.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/glibc-devel-2.2.4-19.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/glibc-profile-2.2.4-19.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/glibc-common-2.2.4-19.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/nscd-2.2.4-19.3.alpha.rpm alphaev6: ftp://updates.redhat.com/7.1/en/os/alphaev6/glibc-2.2.4-19.3.alphaev6.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/glibc-2.2.4-19.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/glibc-devel-2.2.4-19.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/glibc-profile-2.2.4-19.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/glibc-common-2.2.4-19.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/nscd-2.2.4-19.3.i386.rpm i686: ftp://updates.redhat.com/7.1/en/os/i686/glibc-2.2.4-19.3.i686.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/glibc-2.2.4-19.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/glibc-devel-2.2.4-19.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/glibc-profile-2.2.4-19.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/glibc-common-2.2.4-19.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/nscd-2.2.4-19.3.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/glibc-2.2.4-19.3.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/glibc-2.2.4-19.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/glibc-devel-2.2.4-19.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/glibc-profile-2.2.4-19.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/glibc-common-2.2.4-19.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/nscd-2.2.4-19.3.i386.rpm i686: ftp://updates.redhat.com/7.2/en/os/i686/glibc-2.2.4-19.3.i686.rpm 6. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 7. Verification: MD5 sum Package Name ------------------------------------------------------------------------- c357416249d75bdc045f6a0bd375d38e 6.2/en/os/SRPMS/glibc-2.1.3-23.src.rpm 1488ff1e3bd4505ebad71e9eadc6cfe3 6.2/en/os/alpha/glibc-2.1.3-23.alpha.rpm ccf5c9dd4c68eaae2f7661bce814a686 6.2/en/os/alpha/glibc-devel-2.1.3-23.alpha.rpm 87e6ba6d7600a3b3fd35e106745fa788 6.2/en/os/alpha/glibc-profile-2.1.3-23.alpha.rpm a8679c548f4de4c413720b88231b79ea 6.2/en/os/alpha/nscd-2.1.3-23.alpha.rpm 3e8cba807ffdce5579114bb2f3fbbdfd 6.2/en/os/i386/glibc-2.1.3-23.i386.rpm aa3c90d7d4cedfd4ebf45a44312fd3a2 6.2/en/os/i386/glibc-devel-2.1.3-23.i386.rpm 07197b46d6f567131b43330bcc59b28f 6.2/en/os/i386/glibc-profile-2.1.3-23.i386.rpm ec8527e6b9924ce9e8a5824d1983a606 6.2/en/os/i386/nscd-2.1.3-23.i386.rpm 6e3523c567b724d6875b05d48a8781e1 6.2/en/os/sparc/glibc-2.1.3-23.sparc.rpm 9435475af4f944accc5c33119f4bebe1 6.2/en/os/sparc/glibc-devel-2.1.3-23.sparc.rpm b12cb08aaed71abab6c8b8eaa2b41072 6.2/en/os/sparc/glibc-profile-2.1.3-23.sparc.rpm b124928f89fb1a46cff833056d44dd79 6.2/en/os/sparc/nscd-2.1.3-23.sparc.rpm 907c6bdf5a8dd1c4f2803f6d8f3a0ae3 6.2/en/os/sparcv9/glibc-2.1.3-23.sparcv9.rpm ae84cff41c783ea0b75f083870a756f4 7.0/en/os/SRPMS/glibc-2.2.4-18.7.0.3.src.rpm f1c2cca381e329afcb9f580b3b889363 7.0/en/os/alpha/glibc-2.2.4-18.7.0.3.alpha.rpm 2076d9b49459b1b9d51a71ca6c1f7f6a 7.0/en/os/alpha/glibc-common-2.2.4-18.7.0.3.alpha.rpm f375a5b1b44110fb0fee04b69b6f2c63 7.0/en/os/alpha/glibc-devel-2.2.4-18.7.0.3.alpha.rpm 8f2430025f19cec38df29f673cd9b7bb 7.0/en/os/alpha/glibc-profile-2.2.4-18.7.0.3.alpha.rpm 1bfd015bc33811a1c6ad08f57d1bac29 7.0/en/os/alpha/nscd-2.2.4-18.7.0.3.alpha.rpm dcbfacca113f7ea4d3d7c75baac8d0fb 7.0/en/os/alphaev6/glibc-2.2.4-18.7.0.3.alphaev6.rpm 05bb9c3de55e04b8fca48d3508c99d03 7.0/en/os/i386/glibc-2.2.4-18.7.0.3.i386.rpm b4269c4c1c5e48166068a691cd0fd968 7.0/en/os/i386/glibc-common-2.2.4-18.7.0.3.i386.rpm e46be81d1912d78ea5a1e9db63623fe6 7.0/en/os/i386/glibc-devel-2.2.4-18.7.0.3.i386.rpm fedfe5e3d2cdbeef9eb616fbe215cb96 7.0/en/os/i386/glibc-profile-2.2.4-18.7.0.3.i386.rpm dff1ecb55acef7be12cffa5c45b725b1 7.0/en/os/i386/nscd-2.2.4-18.7.0.3.i386.rpm 2cda97a74018abad487b749923607cee 7.0/en/os/i686/glibc-2.2.4-18.7.0.3.i686.rpm 1ab748bd3fe04702751b7633b98a315d 7.1/en/os/SRPMS/glibc-2.2.4-19.3.src.rpm 3e2faca6f40e6167f88eea85eac58940 7.1/en/os/alpha/glibc-2.2.4-19.3.alpha.rpm 56538cf7a756228a90f25abd85774228 7.1/en/os/alpha/glibc-common-2.2.4-19.3.alpha.rpm b5a3914236dc76181d4f1b417fcb08f2 7.1/en/os/alpha/glibc-devel-2.2.4-19.3.alpha.rpm 11ddc075098bd3cd3953d86658250620 7.1/en/os/alpha/glibc-profile-2.2.4-19.3.alpha.rpm b4c02b68cf7a98376707e11a665e8057 7.1/en/os/alpha/nscd-2.2.4-19.3.alpha.rpm 0c74520246ae0f5b1ccacfcd65223feb 7.1/en/os/alphaev6/glibc-2.2.4-19.3.alphaev6.rpm 9ece40bc4b5a2fb8734c7807b28b86a4 7.1/en/os/i386/glibc-2.2.4-19.3.i386.rpm 8b9c9635214c475b6fd6c7e5dab3d3c0 7.1/en/os/i386/glibc-common-2.2.4-19.3.i386.rpm 78ddc49ad3cbb1f769d61f2357466d8d 7.1/en/os/i386/glibc-devel-2.2.4-19.3.i386.rpm e53b1f547dd67c86aa2cf969f54ff015 7.1/en/os/i386/glibc-profile-2.2.4-19.3.i386.rpm ce89d05dad8b1278d3a753676b96e5aa 7.1/en/os/i386/nscd-2.2.4-19.3.i386.rpm 1dfabf932afb04048d12622e6fc6859f 7.1/en/os/i686/glibc-2.2.4-19.3.i686.rpm 24cb3c3be8b8b50c709f5dfd593f2b0a 7.1/en/os/ia64/glibc-2.2.4-19.3.ia64.rpm 330ec0f05b6d2e83c4c57dcad9c513de 7.1/en/os/ia64/glibc-common-2.2.4-19.3.ia64.rpm 5bf8a4da1d8e34b79c4bdc953d610467 7.1/en/os/ia64/glibc-devel-2.2.4-19.3.ia64.rpm 5163bf8fa2897e653c93a9234a0d39b8 7.1/en/os/ia64/glibc-profile-2.2.4-19.3.ia64.rpm 64a273fa127fbd09f7f3a30b00390972 7.1/en/os/ia64/nscd-2.2.4-19.3.ia64.rpm 1ab748bd3fe04702751b7633b98a315d 7.2/en/os/SRPMS/glibc-2.2.4-19.3.src.rpm 9ece40bc4b5a2fb8734c7807b28b86a4 7.2/en/os/i386/glibc-2.2.4-19.3.i386.rpm 8b9c9635214c475b6fd6c7e5dab3d3c0 7.2/en/os/i386/glibc-common-2.2.4-19.3.i386.rpm 78ddc49ad3cbb1f769d61f2357466d8d 7.2/en/os/i386/glibc-devel-2.2.4-19.3.i386.rpm e53b1f547dd67c86aa2cf969f54ff015 7.2/en/os/i386/glibc-profile-2.2.4-19.3.i386.rpm ce89d05dad8b1278d3a753676b96e5aa 7.2/en/os/i386/nscd-2.2.4-19.3.i386.rpm 1dfabf932afb04048d12622e6fc6859f 7.2/en/os/i686/glibc-2.2.4-19.3.i686.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact.html You can verify each package with the following command: rpm --checksig filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg filename Note that you need RPM >= 3.0 to check GnuPG keys. 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0886 Copyright© 2000 Red Hat, Inc. [***** End Red Hat Linux RHSA-2001:160-09 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat Linux for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-019: Multiple Vendor CDE dtpscd Process Buffer Overflow M-020: SGI Multiple Local SendMail Vulnerability M-021: Hewlett-Packard Remote Logic Flaw Vulnerability in rlpdaemon M-022: SGI IRIX shells create temporary files insecurely M-023: Multiple Vendor wu-ftdp File Globbing Heap Corruption Vulnerability M-024: Microsoft Internet Explorer calls telnet.exe with unsafe command-line arguments M-025: IRIX NEdit Vulnerability M-026: OpenSSH UseLogin Privilege Elevation Vulnerability M-027: Microsoft Internet Explorer-Content Type Falsification (Three Vulnerabilities) M-028: HPLX-sendmail Vulnerability