Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 639972 (CVE-2017-1000408, CVE-2017-1000409) - sys-libs/glibc: Multiple vulnerabilities (CVE-2017-{1000408,1000409})
Summary: sys-libs/glibc: Multiple vulnerabilities (CVE-2017-{1000408,1000409})
Alias: CVE-2017-1000408, CVE-2017-1000409
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Depends on:
Reported: 2017-12-05 18:19 UTC by Thomas Deutschmann
Modified: 2017-12-13 14:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-12-05 18:19:59 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-12-13 14:12:29 UTC
From $URL:


We have discovered a memory leak and a buffer overflow in the dynamic
loader ( of the GNU C Library (glibc):

- the memory leak (CVE-2017-1000408) first appeared in glibc 2.1.1
  (released on May 24, 1999) and can be reached and amplified through
  the LD_HWCAP_MASK environment variable;

- the buffer overflow (CVE-2017-1000409) first appeared in glibc 2.5
  (released on September 29, 2006) and can be triggered through the
  LD_LIBRARY_PATH environment variable.

Further investigation showed that:

- the buffer overflow is not exploitable if
  /proc/sys/fs/protected_hardlinks is enabled (it is not enabled by
  default on vanilla Linux kernels, but most Linux distributions turn it
  on by default);

- the memory leak and the buffer overflow are not exploitable if the
  glibc is patched against CVE-2017-1000366, because this patch ignores
  the LD_HWCAP_MASK and LD_LIBRARY_PATH environment variables when SUID
  binaries are executed (CVE-2017-1000366 was first patched in glibc
  2.26, released on August 2, 2017, but most Linux distributions had
  already backported this patch on June 19, 2017).

We have therefore rated the impact of these vulnerabilities as Low.
Nevertheless, we give a brief analysis of the vulnerable function, and
present a simple method for exploiting a SUID binary on the command line
and obtaining full root privileges (if /proc/sys/fs/protected_hardlinks
is not enabled, and CVE-2017-1000366 is not patched).

Comment 2 Thomas Deutschmann gentoo-dev Security 2017-12-13 14:20:49 UTC
Gentoo is not affected because >=sys-libs/glibc-2.23-r4 carries patch for CVE-2017-1000366.

Repository is clean.

All done.