Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20000926-1
dburcaw@terraplex.com
Date: Tue Sep 26 2000 - 16:32:31 MDT
Yellow Dog Linux Security Announcement
--------------------------------------
Package: glibc
Issue Date: September 26, 2000
Update Date: September 26, 2000
Priority: high
Advisory ID: YDU-20000926-1
1. Topic:
Security problems in glibc were found that could allow local users to
gain root access.
2. Problem:
"The dynamic linker ld.so uses several environment variables like LD_PRELOAD
and LD_LIBRARY_PATH to load additional libraries or modify the library
search path. It is unsafe to accept arbitrary user specified values
of these variables when executing setuid applications, so ld.so handles
them specially in setuid programs and also removes them from the
environment.
One of the discovered bugs causes these variables not to be
removed from the environment under certain circumstances. This does not
cause any threat to setuid application themselves, but it could be
exploited if a setuid application does not either drop privileges or clean
up its environment prior to executing other programs.
A number of additional bugs have been found in glibc locale and
internationalization security checks." (from Red Hat errata advisory)
3. Solution:
a) Updating via yup...
We suggest that you use the Yellow Dog Update Program (yup)
to keep your system up-to-date. The following command will
automatically retrieve and install the fixed version of
glibc onto your system:
yup update glibc
yup update glibc-devel
yup update glibc-profile
yup update nscd
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update.
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/
glibc-2.1.3-15f.ppc.rpm
glibc-devel-2.1.3-15f.ppc.rpm
glibc-profile-2.1.3-15f.ppc.rpm
nscd-2.1.3-15f.ppc.rpm
rpm -Fvh *-2.1.3-15f.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
7bf4e480d16ec6b922e51e051627e84f RPMS/glibc-2.1.3-15f.ppc.rpm
50d9b472da7ab9cb211e34c813d00288 RPMS/glibc-devel-2.1.3-15f.ppc.rpm
cdd33e9b0259a6072cff5f62dfff33a2 RPMS/glibc-profile-2.1.3-15f.ppc.rpm
2ed0f6b48cb753189efd1bc2c77041f9 RPMS/nscd-2.1.3-15f.ppc.rpm
6b7bd7bc7ebeb08180c50c4f39bb9a3a SRPMS/glibc-2.1.3-15f.src.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml
This archive was generated by hypermail 2a24 : Tue Sep 26 2000 - 16:35:08 MDT