The LD_DEBUG environment variable is one of those obscure, useful features
found in glibc. By setting LD_DEBUG to one of a few specific values (use
help to get the full list), you can get a great deal of
information on just how the dynamic library loader is resolving symbols and
performing relocation. This information can be most useful for tracking
down certain kinds of obscure shareable library problems.
LD_DEBUG can be verbose; it can also provide information about
security-critical programs - especially those running setuid - which
perhaps should not be made available to just anybody. The large amount of
output created by LD_DEBUG can also be used as a sort of poor-man's
single-stepping mechanism. If you can control when the standard output
will block, you can stop a setuid program at almost any library call. This
capability can be most useful if you are trying to exploit a difficult race
condition, such as a temporary file vulnerability. The ability to stop a
program at an arbitrary point can turn a small, difficult window into a
wide-open one which can be exploited at leisure.
Thus, it would make sense to disallow LD_DEBUG for setuid binaries.
Unfortunately, this didn't occur to the glibc implementors, who did not add
any checks for setuid operation in the LD_DEBUG code. Gentoo has recently
issued an update fixing the problem; no other
distributors have followed suit as of this writing.
As it turns out, some distributors do not need to. OpenWall fixed this problem over three years ago; ALT
Linux also patched glibc in its distribution. Somehow, however, the fixes
applied by these distributors never got into wider distribution.
This is not the first time that somebody has discovered a security problem
for which a fix had been available for years. These incidents are, at
best, a missed opportunity: known holes with available fixes remain
unpatched for long periods of time. A less pleasant possibility is that
crackers can look at the patches applied by security-conscious
distributions (such as OpenWall) in search of holes which have not been
fixed elsewhere. Security fixes are best applied universally.
The obvious way to ensure widespread diffusion of security fixes is to
submit them back to the package's maintainer. Such patches should almost
always be accepted - or the maintainer should come up with a better way to
fix the problem. If the maintainer refuses to fix the problem, there is
always the time-honored technique of posting an advisory to Bugtraq. What
should not be an option is keeping security fixes to ones self.
Comments (16 posted)
New vulnerabilities
Cacti: SQL injection vulnerability
| Package(s): | cacti |
CVE #(s): | |
| Created: | August 23, 2004 |
Updated: | August 25, 2004 |
| Description: |
Cacti is vulnerable to a SQL injection attack where an attacker may
inject SQL into the Username field. An attacker could use these
vulnerabilities to compromise the Cacti service and potentially execute
programs with the permissions of the user running Cacti. |
| Alerts: |
|
Comments (none posted)
courier-imap: Remote Format String Vulnerability
| Package(s): | courier-imap |
CVE #(s): | CAN-2004-0777
|
| Created: | August 20, 2004 |
Updated: | August 26, 2004 |
| Description: |
There is a format string vulnerability in the auth_debug() function which
can be exploited remotely, potentially leading to arbitrary code execution
as the user running the IMAP daemon (which is often root). A remote
attacker may send username or password information containing printf()
format tokens (such as "%s"), which will crash the server or cause it to
execute arbitrary code. This vulnerability can only be exploited if
DEBUG_LOGIN is set to something other than 0 in the imapd config file.
If DEBUG_LOGIN is enabled in the imapd configuration, a remote attacker
may execute arbitrary code as the root user. |
| Alerts: |
|
Comments (none posted)
icecast-server: missing escape
| Package(s): | icecast-server |
CVE #(s): | CAN-2004-0781
|
| Created: | August 24, 2004 |
Updated: | August 25, 2004 |
| Description: |
Markus Wörle discovered a cross site scripting problem in
status-display (list.cgi) of the icecast internal webserver, an MPEG
layer III streaming server. The UserAgent variable is not properly
html_escaped so that an attacker could cause the client to execute
arbitrary Java script commands. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
roundup: remote file access vulnerability
| Package(s): | roundup |
CVE #(s): | |
| Created: | August 18, 2004 |
Updated: | August 25, 2004 |
| Description: |
The roundup issue tracker has a vulnerability that allows
a remote attacker to read files owned by the user that is
running the application. |
| Alerts: |
|
Comments (none posted)
zlib: denial of service
| Package(s): | zlib |
CVE #(s): | CAN-2004-0797
|
| Created: | August 25, 2004 |
Updated: | June 10, 2005 |
| Description: |
Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
