Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560420 (CVE-2015-8777) - <sys-libs/glibc-2.22-r1: LD_POINTER_GUARD in the environment is not sanitized (CVE-2015-8777)
Summary: <sys-libs/glibc-2.22-r1: LD_POINTER_GUARD in the environment is not sanitized...
Status: RESOLVED FIXED
Alias: CVE-2015-8777
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2015-8776, CVE-2015-8778, CVE-2015-8779
Blocks:
  Show dependency tree
 
Reported: 2015-09-14 09:18 UTC by Agostino Sarubbo
Modified: 2017-02-19 12:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-14 09:18:43 UTC
From ${URL} :

A weakness in the dynamic loader has been found, making glibc of versions prior 2.22.90 affected. 
LD_POINTER_GUARD in the environment is not sanitizaed allowing attacker to easily bypass the 
pointer guarding protection on set-user-ID and set-group-ID programs.

Reproducing steps available at:

http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html

CVE request:

http://seclists.org/oss-sec/2015/q3/504


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:35:29 UTC
This issue was resolved and addressed in
 GLSA 201702-11 at https://security.gentoo.org/glsa/201702-11
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:39:38 UTC
This issue was resolved and addressed in
 GLSA 201702-11 at https://security.gentoo.org/glsa/201702-11
by GLSA coordinator Thomas Deutschmann (whissi).