RHSA-2010:0872-02 -- Redhat glibcID: oval:org.secpod.oval:def:500442 | Date: (C)2012-01-31 (M)2023-11-09 |
Class: PATCH | Family: unix |
The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. Red Hat would like to thank Tavis Ormandy for reporting the CVE-2010-3847 issue, and Ben Hawkes and Tavis Ormandy for reporting the CVE-2010-3856 issue. This update also fixes the following bugs: * Previously, the generic implementation of the strstr and memmem functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected. * The "TCB_ALIGNMENT" value has been increased to 32 bytes to prevent applications from crashing during symbol resolution on 64-bit systems with support for Intel AVX vector registers. All users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
Platform: |
Red Hat Enterprise Linux 6 |