See https://www.openwall.com/lists/oss-security/2023/10/03/2. """ ======================================================================== Summary ======================================================================== The GNU C Library's dynamic loader "find[s] and load[s] the shared objects (shared libraries) needed by a program, prepare[s] the program to run, and then run[s] it" (man ld.so). The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities. Historically, the processing of environment variables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a fertile source of vulnerabilities in the dynamic loader. Recently, we discovered a vulnerability (a buffer overflow) in the dynamic loader's processing of the GLIBC_TUNABLES environment variable (https://www.gnu.org/software/libc/manual/html_node/Tunables.html). This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c ("Fix SXID_ERASE behavior in setuid programs (BZ #27471)"). We successfully exploited this vulnerability and obtained full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13; other distributions are probably also vulnerable and exploitable (one notable exception is Alpine Linux, which uses musl libc, not the glibc). We will not publish our exploit for now; however, this buffer overflow is easily exploitable (by transforming it into a data-only attack), and other researchers might publish working exploits shortly after this coordinated disclosure. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf5480111cf4da127f6089fef7c2880e4f03cb48 commit cf5480111cf4da127f6089fef7c2880e4f03cb48 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-10-03 18:05:32 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-10-03 18:05:32 +0000 sys-libs/glibc: 2.37 patchlevel 10 bump Bug: https://bugs.gentoo.org/915127 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/Manifest | 1 + sys-libs/glibc/glibc-2.37-r7.ebuild | 1680 +++++++++++++++++++++++++++++++++++ 2 files changed, 1681 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e9ec2c1795c6528ca1ef440a45b0be7d3ff2d6e commit 0e9ec2c1795c6528ca1ef440a45b0be7d3ff2d6e Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-10-03 18:11:18 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-10-03 18:11:45 +0000 sys-libs/glibc: 2.38 patchlevel 5 bump Bug: https://bugs.gentoo.org/915127 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/Manifest | 1 + sys-libs/glibc/glibc-2.38-r5.ebuild | 1706 +++++++++++++++++++++++++++++++++++ 2 files changed, 1707 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dac73faec799d2c7240f5545582cf70b8e33c49 commit 9dac73faec799d2c7240f5545582cf70b8e33c49 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-10-03 21:13:19 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-10-03 21:13:45 +0000 sys-libs/glibc: keyword 2.37-r7 Bug: https://bugs.gentoo.org/915127 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/glibc-2.37-r7.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d47811b1b91485d359aa8bdeab275a82a105e73 commit 7d47811b1b91485d359aa8bdeab275a82a105e73 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-10-03 21:41:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-03 21:41:08 +0000 sys-libs/glibc: keyword 2.38-r5 Bug: https://bugs.gentoo.org/915127 Signed-off-by: Sam James <sam@gentoo.org> sys-libs/glibc/glibc-2.38-r5.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=029e12731f29676d3f6ebed09f7747ee6e15c5e8 commit 029e12731f29676d3f6ebed09f7747ee6e15c5e8 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-04 08:02:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-04 08:02:41 +0000 [ GLSA 202310-03 ] glibc: Multiple vulnerabilities Bug: https://bugs.gentoo.org/867952 Bug: https://bugs.gentoo.org/914281 Bug: https://bugs.gentoo.org/915127 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202310-03.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
