Bug 639972 (CVE-2017-1000408, CVE-2017-1000409)

Comment 1 Thomas Deutschmann (RETIRED) 2017-12-13 14:12:29 UTC

From $URL:

========================================================================
Summary
========================================================================

We have discovered a memory leak and a buffer overflow in the dynamic
loader (ld.so) of the GNU C Library (glibc):

- the memory leak (CVE-2017-1000408) first appeared in glibc 2.1.1
  (released on May 24, 1999) and can be reached and amplified through
  the LD_HWCAP_MASK environment variable;

- the buffer overflow (CVE-2017-1000409) first appeared in glibc 2.5
  (released on September 29, 2006) and can be triggered through the
  LD_LIBRARY_PATH environment variable.

Further investigation showed that:

- the buffer overflow is not exploitable if
  /proc/sys/fs/protected_hardlinks is enabled (it is not enabled by
  default on vanilla Linux kernels, but most Linux distributions turn it
  on by default);

- the memory leak and the buffer overflow are not exploitable if the
  glibc is patched against CVE-2017-1000366, because this patch ignores
  the LD_HWCAP_MASK and LD_LIBRARY_PATH environment variables when SUID
  binaries are executed (CVE-2017-1000366 was first patched in glibc
  2.26, released on August 2, 2017, but most Linux distributions had
  already backported this patch on June 19, 2017).

We have therefore rated the impact of these vulnerabilities as Low.
Nevertheless, we give a brief analysis of the vulnerable function, and
present a simple method for exploiting a SUID binary on the command line
and obtaining full root privileges (if /proc/sys/fs/protected_hardlinks
is not enabled, and CVE-2017-1000366 is not patched).

[...]

Comment 2 Thomas Deutschmann (RETIRED) 2017-12-13 14:20:49 UTC

Gentoo is not affected because >=sys-libs/glibc-2.23-r4 carries patch for CVE-2017-1000366.

Repository is clean.

All done.