Vulnerability Note VU#537223
GNU C library dynamic linker expands $ORIGIN in setuid library search path
Certain versions of glibc unsafely handle the $ORIGIN ELF substitution sequence which can be exploited to gain local privilege escalation.
Tavis Ormandy's advisory states:
"$ORIGIN is an ELF substitution sequence representing the location of the executable being loaded in the filesystem hierarchy. The intention is to allow executables to specify a search path for libraries that is relative to their location, to simplify packaging without spamming the standard search paths with single-use libraries."
A local unprivileged attacker can escalate their privileges to root.
Apply an update for the glibc packages from distribution vendors.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|CentOS||Affected||-||25 Oct 2010|
|Debian GNU/Linux||Affected||-||26 Oct 2010|
|Fedora Project||Affected||-||25 Oct 2010|
|Mandriva S. A.||Affected||-||26 Oct 2010|
|Red Hat, Inc.||Affected||-||25 Oct 2010|
|Slackware Linux Inc.||Affected||-||26 Oct 2010|
|Ubuntu||Affected||-||26 Oct 2010|
|Gentoo Linux||Unknown||-||25 Oct 2010|
CVSS Metrics (Learn More)
Thanks to Tavis Ormandy for researching and publishing the details of this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2010-3847
- Date Public: 18 Oct 2010
- Date First Published: 25 Oct 2010
- Date Last Updated: 26 Oct 2010
- Severity Metric: 13.36
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.