Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 641644 (CVE-2017-16997)

Summary: <sys-libs/glibc-{2.25-r11,2.26-r6}: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: holger, hydrapolic, toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 646492    
Bug Blocks:    

Description D'juan McDonald (domhnall) 2017-12-18 23:00:29 UTC

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. 

@maintainter(s): "NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution."  

proceed as necessary, call for stable when ready, thank you.

Gentoo Security Padawan
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2018-02-08 21:57:20 UTC
Fixed upstream in 2.27
Fix added to the gentoo/2.26 branch, will be in patchlevel 6
Comment 3 Larry the Git Cow gentoo-dev 2018-02-08 23:50:03 UTC
The bug has been referenced in the following commit(s):

commit fa2244fedca8e63902ba8d879dbf0f4d9548d754
Author:     Andreas K. Hüttel <>
AuthorDate: 2018-02-08 23:49:17 +0000
Commit:     Andreas K. Hüttel <>
CommitDate: 2018-02-08 23:49:40 +0000

    sys-libs/glibc: Revbump 2.26-r6 with next patchset (patchlevel 6)
    10 test failures need investigating:
    FAIL: elf/tst-prelink-cmp
    XPASS: elf/tst-protected1a
    XPASS: elf/tst-protected1b
    FAIL: malloc/tst-malloc-tcache-leak
    FAIL: math/test-float128-finite-tgamma
    FAIL: math/test-float128-finite-trunc
    FAIL: math/test-float128-tgamma
    FAIL: math/test-float128-trunc
    FAIL: math/test-ifloat128-tgamma
    FAIL: math/test-ifloat128-trunc
    FAIL: misc/tst-ttyname
    UNSUPPORTED: nptl/test-cond-printers
    UNSUPPORTED: nptl/test-condattr-printers
    UNSUPPORTED: nptl/test-mutex-printers
    UNSUPPORTED: nptl/test-mutexattr-printers
    UNSUPPORTED: nptl/test-rwlock-printers
    UNSUPPORTED: nptl/test-rwlockattr-printers
    FAIL: nss/tst-nss-files-hosts-multi
    Summary of test results:
         10 FAIL
       4113 PASS
          6 UNSUPPORTED
         29 XFAIL
          2 XPASS
    Package-Manager: Portage-2.3.21, Repoman-2.3.6

 sys-libs/glibc/Manifest             |   1 +
 sys-libs/glibc/glibc-2.26-r6.ebuild | 836 ++++++++++++++++++++++++++++++++++++
 2 files changed, 837 insertions(+)}
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2018-02-09 22:30:54 UTC
Fix added to the gentoo/2.25 branch, will be in patchlevel 14
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2018-04-04 01:55:34 UTC
This issue was resolved and addressed in
 GLSA 201804-02 at
by GLSA coordinator Aaron Bauman (b-man).