We have discovered a memory leak and a buffer overflow in the dynamic
loader (ld.so) of the GNU C Library (glibc):
- the memory leak (CVE-2017-1000408) first appeared in glibc 2.1.1
(released on May 24, 1999) and can be reached and amplified through
the LD_HWCAP_MASK environment variable;
- the buffer overflow (CVE-2017-1000409) first appeared in glibc 2.5
(released on September 29, 2006) and can be triggered through the
LD_LIBRARY_PATH environment variable.
Further investigation showed that:
- the buffer overflow is not exploitable if
/proc/sys/fs/protected_hardlinks is enabled (it is not enabled by
default on vanilla Linux kernels, but most Linux distributions turn it
on by default);
- the memory leak and the buffer overflow are not exploitable if the
glibc is patched against CVE-2017-1000366, because this patch ignores
the LD_HWCAP_MASK and LD_LIBRARY_PATH environment variables when SUID
binaries are executed (CVE-2017-1000366 was first patched in glibc
2.26, released on August 2, 2017, but most Linux distributions had
already backported this patch on June 19, 2017).
We have therefore rated the impact of these vulnerabilities as Low.
Nevertheless, we give a brief analysis of the vulnerable function, and
present a simple method for exploiting a SUID binary on the command line
and obtaining full root privileges (if /proc/sys/fs/protected_hardlinks
is not enabled, and CVE-2017-1000366 is not patched).
Gentoo is not affected because >=sys-libs/glibc-2.23-r4 carries patch for CVE-2017-1000366.
Repository is clean.