search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Debian glibc 2 symlink issue could allow arbitrary file overwriting

Vulnerability Note VU#664141

Original Release Date: 2001-07-24 | Last Revised: 2001-07-31

Overview

Some versions of ld.so, the loader for shared libraries in UNIX/LINUX, do not properly clear risky environment variables, allowing a symlink attack to overwrite arbitrary files.

Description

LD_DEBUG_OUTPUT specifies a directory in which ld.so creates a file with a predictable name based on the process ID. ld.so uses this file to store debugging information. The current version of ld.so does not unset the environment variable LD_DEBUG_OUTPUT prior to calling setuid root programs. Even though setuid root programs are forced to ignore the LD_DEBUG_OUTPUT variable, output would be generated there by programs called from setuid root programs.

Impact

By setting up appropriate symlinks, a malicious user could cause arbitrary files to be overwritten with debugging information.

Solution

Pending patch information by the vendor, CERT/CC is unaware of a practical solution to this problem.

Vendor Information

664141
Expand all

Debian

Notified:  May 25, 2001 Updated:  June 08, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The original report of this vulnerabilty was by Jakub Vlasek .

This document was last modifed by Tim Shimeall.

Other Information

CVE IDs: CVE-2000-0959
Severity Metric: 0.11
Date Public: 2000-09-26
Date First Published: 2001-07-24
Date Last Updated: 2001-07-31 16:29 UTC
Document Revision: 8

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.