Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622220 (CVE-2017-1000366) - <sys-libs/glibc-2.23-r4: arbitrary code execution through crafted LD_LIBRARY_PATH values (CVE-2017-1000366)
Summary: <sys-libs/glibc-2.23-r4: arbitrary code execution through crafted LD_LIBRARY_...
Status: RESOLVED FIXED
Alias: CVE-2017-1000366
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-5180 CVE-2016-6323
  Show dependency tree
 
Reported: 2017-06-19 15:13 UTC by GLSAMaker/CVETool Bot
Modified: 2017-09-11 22:03 UTC (History)
7 users (show)

See Also:
Package list:
sys-libs/glibc-2.23-r4
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-19 15:13:32 UTC 
CVE-2017-1000366 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000366):
  glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH
  values to manipulate the heap/stack, causing them to alias, potentially
  resulting in arbitrary code execution. Please note that additional hardening
  changes have been made to glibc to prevent manipulation of stack and heap
  memory but these issues are not directly exploitable, as such they have not
  been given a CVE. This affects glibc 2.25 and earlier.
Comment 1 Matthias Maier gentoo-dev 2017-06-19 15:15:52 UTC 
commit 452762af067805761989321f36838ee45168298c (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 14 18:34:42 2017 -0500

    sys-libs/glibc: bump 2.25 to patchset 5
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2

commit 20b7b97d561539d1197f068521879951de2379ce
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 14 18:33:33 2017 -0500

    sys-libs/glibc: bump 2.24 to patchset 8
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2

commit 641b52c3d15af21c1f329c4d9fa76dbb059ab070
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Thu Jun 8 12:15:53 2017 -0500

    sys-libs/glibc: mark 2.23 stable for amd64 and x86
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2

commit c46d0e63310fe68ed4bf6a3b0c3fbcc5d4d9918b
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Thu Jun 8 12:14:52 2017 -0500

    sys-libs/glibc: bump 2.23 to patchset 8
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-19 15:20:56 UTC 
@ Arches,

please test and mark stable: =sys-libs/glibc-2.23-r4
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-06-20 17:55:42 UTC 
This issue was resolved and addressed in
 GLSA 201706-19 at https://security.gentoo.org/glsa/201706-19
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-20 17:56:59 UTC 
Re-opening for remaining architectures.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-21 08:54:15 UTC 
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 12:07:02 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:19:52 UTC 
ppc64 stable
Comment 8 Markus Meier gentoo-dev 2017-06-23 04:41:44 UTC 
arm stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-26 20:20:33 UTC 
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2017-07-07 09:10:31 UTC 
sparc stable
Comment 11 Matthias Maier gentoo-dev 2017-08-02 17:02:17 UTC 
Remaining arches: m68k, arm64

I will proceed with masking vulnerable glibc versions, glibc-2.23-r4 is marked stable on all stable arches.
Comment 12 Alexis Ballier gentoo-dev 2017-09-02 18:29:52 UTC 
arm64 done
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-09-11 22:03:13 UTC 
old glibc versions are masked and m68k is not a security supported arch.