GNU libc (glibc) SUID Binary Debugging Information Disclosure

2004-08-16T05:24:28
ID OSVDB:9010
Type osvdb
Reporter Silvio Cesare(silvio@qualys.com)
Modified 2004-08-16T05:24:28

Description

Vulnerability Description

glibc contains a flaw that may lead to an unauthorized information disclosure. LD_DEBUG is allowed on setuid binaries which as a result may allow a local attacker to debug a setuid binary and gain sensitive information about the system, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.3.4.20040619-r1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

glibc contains a flaw that may lead to an unauthorized information disclosure. LD_DEBUG is allowed on setuid binaries which as a result may allow a local attacker to debug a setuid binary and gain sensitive information about the system, resulting in a loss of confidentiality.

References:

Vendor URL: http://www.gnu.org/software/libc/libc.html Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1010975 Secunia Advisory ID:12306 Secunia Advisory ID:15186 Secunia Advisory ID:15415 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200408-16.xml Other Advisory URL: http://rhn.redhat.com/errata/RHSA-2005-261.html Other Advisory URL: http://rhn.redhat.com/errata/RHSA-2005-256.html ISS X-Force ID: 17006 CVE-2004-1453 Bugtraq ID: 10963