6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
9.3%
DISPUTED ldd in the GNU C Library (aka glibc or libc6) 2.13 and
earlier allows local users to gain privileges via a Trojan horse executable
file linked with a modified loader that omits certain
LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states
“This is just nonsense. There are a gazillion other ways to introduce code
if people are downloading arbitrary binaries and install them in
appropriate directories or set LD_LIBRARY_PATH etc.”
Author | Note |
---|---|
mdeslaur | lucid+ debian packages have a fix in debian/patches/all/local-ldd.diff this is disputed, and is low…let’s ignore. |