Bug 386333 (CVE-2011-1658)

Summary:	<sys-libs/glibc-2.14.1-r3: Privilege escalation (CVE-2011-1658)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 [glsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 14:37:19 UTC

CVE-2011-1658 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1658):
  ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the
  $ORIGIN dynamic string token when RPATH is composed entirely of this token,
  which might allow local users to gain privileges by creating a hard link in
  an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH
  value, and then executing the program with a crafted value for the
  LD_PRELOAD environment variable, a different vulnerability than
  CVE-2010-3847 and CVE-2011-0536.  NOTE: it is not expected that any standard
  operating-system distribution would ship an applicable setuid or setgid
  program.


With regard to the $ORIGIN debate from a while ago, I'd rather ask despite the "NOTE": Is Gentoo affected by this? Please not that this is apparently not the same issue.

Comment 1 SpanKY gentoo-dev

2012-04-13 23:54:27 UTC

should be addressed in glibc-2.14.1+

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2012-09-27 18:48:14 UTC

Upstream commit:

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22836f52e3e4740e450f9b93a2f1e31a90b168a6

Comment 3 Mark Loeser (RETIRED) gentoo-dev

2013-02-22 23:25:58 UTC

toolchain done

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2013-12-03 04:14:33 UTC

This issue was resolved and addressed in
 GLSA 201312-01 at http://security.gentoo.org/glsa/glsa-201312-01.xml
by GLSA coordinator Chris Reffett (creffett).