------------------------------------------------------------------------ Debian Security Advisory DSA-039-1 security@debian.org Debian -- Security Information Wichert Akkerman March 8, 2001 ------------------------------------------------------------------------ Package : glibc Problem type : local file overwrite Debian-specific: no The version of GNU libc that was distributed with Debian GNU/Linux 2.2 suffered from 2 security problems: * It was possible to use LD_PRELOAD to load libraries that are listed in /etc/ld.so.cache, even for suid programs. This could be used to create (and overwrite) files which a user should not be allowed to. * by using LD_PROFILE suid programs would write data to a file to /var/tmp, which was not done safely. Again, this could be used to create (and overwrite) files which a user should not have access to. Both problems have been fixed in version 2.1.3-17 and we recommend that you upgrade your glibc packages immediately. Please note that a side-effect of this upgrade is that ldd will no longer work on suid programs, unless you logged in as root. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.2 alias potato --------------------------------- Potato was released for alpha, arm, i386, m68k, powerpc and sparc. Source archives: MD5 checksum: 2d09dcf45482a2c4400e033c92112110 MD5 checksum: 0483ad39d31a54db8781fddb79240e5d MD5 checksum: aea1bb5c28f793013153d1b8f91eb746 Architecture indendent archives: MD5 checksum: 06a18fbeee849642b48ff14cc0633984 MD5 checksum: 272079ae1d3afe16b18cbc3d903a5685 Alpha architecture: MD5 checksum: 28e3d452aee9a89a7883885b76c7dc66 MD5 checksum: 452a709107c611efffb6e4ff3697eb10 MD5 checksum: 68208d16954c2f81fe38a41fc6b83720 MD5 checksum: dc0ba72ff66b3e25213e6ab12c927941 MD5 checksum: 3e75804a7de8a317304dc4b615e290d3 MD5 checksum: 6f4bf6d43ef36117efe43bad15159dc4 MD5 checksum: 443417e614a33cf70d296fedb6733873 MD5 checksum: 86edee3f212a0d4c769d37eb8e6de404 ARM architecture: MD5 checksum: 63e3785e0c034ad086014a07a641b43d MD5 checksum: 3cf45427598f3c92c5744b647f14a315 MD5 checksum: 30ae1c962cae0d1df3fcd8924a7eb6d3 MD5 checksum: 5e4b00337e8cf44cd94125a30decf409 MD5 checksum: 0b4c9b9715d91fd9474a6a33775821b8 MD5 checksum: fce2f8c6d697ed386557fcf92ef4ce47 MD5 checksum: 946568baddaf2ef3430bc3e27c464079 Intel ia32 architecture: MD5 checksum: a11f04dc605f9e0692bad7c43f29b90a MD5 checksum: c92017b2d71066fb0ffada1090c72863 MD5 checksum: c4523e2dfa76352db81bb7c3852e52eb MD5 checksum: f752ce83bdb45c106a564107727f4ac9 MD5 checksum: 2e97ae1db914e6bf1bbf9f622668802a MD5 checksum: 80592eeaf265a2fa5e4ec17429bd7a29 MD5 checksum: 95d336a17cbab782802304546b88f252 MD5 checksum: 3ac365c22541b0322f3f7acd4487362f Motorola 680x0 architecture: MD5 checksum: 73c51ecef6cb349e1c05c94d98b7f08f MD5 checksum: fdb40a30e553dbda2928913e97869dac MD5 checksum: 4ac47fdd91bb3e74ffb88903f9aa2a2f MD5 checksum: 1ac2effcfa957fba33364f15a0e6a0ad MD5 checksum: 9fa4049d37577c6bf84b6c3b618a3cf7 MD5 checksum: 09e08e0912fb30238c888aa95f2ea5a2 MD5 checksum: 6d4ad26d19cf6309369c59279d243c2f MD5 checksum: b553448be9a6b872d2c38a606476b154 PowerPC architecture: MD5 checksum: 7737f33dab4073f2f068675d0290f2e2 MD5 checksum: 018fcbba3194cbf39617c17d769390ac MD5 checksum: 301d0bb507a617baeede970249eaad65 MD5 checksum: 47a36a1dcdcf10b1ff5781f3a433eba7 MD5 checksum: 80b640aa7d99456cb0fe394a25a9e36b MD5 checksum: 9c44c79bf5c8767e3d144c6b9521b925 MD5 checksum: 359dc2ec51ec194da9ad5f7fd808ccc4 Sun Sparc architecture: MD5 checksum: e63563d43a5e7e016e21c44b80ae530b MD5 checksum: 32dd22813fe5db4e77ff9d0bc8df74ca MD5 checksum: 648c72da9cd496f265c8a8426fa47516 MD5 checksum: c664c5e1b2fd9d2a3d856130f7750c70 MD5 checksum: 67123f10a4b04251c6922313c70102af MD5 checksum: 895333e421ac054533b2cf3a989d2675 MD5 checksum: 7be597a2a98e985bd2f9cca65049d16f These files will be moved into soon. For not yet released architectures please refer to the appropriate directory . -- ---------------------------------------------------------------------------- apt-get: deb Debian -- Security Information stable/updates main dpkg-ftp: dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org
Debian: 'glibc' vulnerabilities
March 8, 2001
The version of GNU libc that was distributed with Debian GNU/Linux 2.2 suffered from 2 security problems.
Summary
Package : glibc
Problem type : local file overwrite
Debian-specific: no
The version of GNU libc that was distributed with Debian GNU/Linux 2.2
suffered from 2 security problems:
* It was possible to use LD_PRELOAD to load libraries that are listed in
/etc/ld.so.cache, even for suid programs. This could be used to create
(and overwrite) files which a user should not be allowed to.
* by using LD_PROFILE suid programs would write data to a file
to /var/tmp, which was not done safely. Again, this could be used
to create (and overwrite) files which a user should not have access
to.
Both problems have been fixed in version 2.1.3-17 and we recommend that
you upgrade your glibc packages immediately.
Please note that a side-effect of this upgrade is that ldd will no longer
work on suid programs, unless you logged in as root.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.2 alias potato
---------------------------------
Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
Source archives:
MD5 checksum: 2d09dcf45482a2c4400e033c92112110
MD5 checksum: 0483ad39d31a54db8781fddb79240e5d
MD5 checksum: aea1bb5c28f793013153d1b8f91eb746
Architecture indendent archives:
MD5 checksum: 06a18fbeee849642b48ff14cc0633984
MD5 checksum: 272079ae1d3afe16b18cbc3d903a5685
Alpha architecture:
MD5 checksum: 28e3d452aee9a89a7883885b76c7dc66
MD5 checksum: 452a709107c611efffb6e4ff3697eb10
MD5 checksum: 68208d16954c2f81fe38a41fc6b83720
MD5 checksum: dc0ba72ff66b3e25213e6ab12c927941
MD5 checksum: 3e75804a7de8a317304dc4b615e290d3
MD5 checksum: 6f4bf6d43ef36117efe43bad15159dc4
MD5 checksum: 443417e614a33cf70d296fedb6733873
MD5 checksum: 86edee3f212a0d4c769d37eb8e6de404
ARM architecture:
MD5 checksum: 63e3785e0c034ad086014a07a641b43d
MD5 checksum: 3cf45427598f3c92c5744b647f14a315
MD5 checksum: 30ae1c962cae0d1df3fcd8924a7eb6d3
MD5 checksum: 5e4b00337e8cf44cd94125a30decf409
MD5 checksum: 0b4c9b9715d91fd9474a6a33775821b8
MD5 checksum: fce2f8c6d697ed386557fcf92ef4ce47
MD5 checksum: 946568baddaf2ef3430bc3e27c464079
Intel ia32 architecture:
MD5 checksum: a11f04dc605f9e0692bad7c43f29b90a
MD5 checksum: c92017b2d71066fb0ffada1090c72863
MD5 checksum: c4523e2dfa76352db81bb7c3852e52eb
MD5 checksum: f752ce83bdb45c106a564107727f4ac9
MD5 checksum: 2e97ae1db914e6bf1bbf9f622668802a
MD5 checksum: 80592eeaf265a2fa5e4ec17429bd7a29
MD5 checksum: 95d336a17cbab782802304546b88f252
MD5 checksum: 3ac365c22541b0322f3f7acd4487362f
Motorola 680x0 architecture:
MD5 checksum: 73c51ecef6cb349e1c05c94d98b7f08f
MD5 checksum: fdb40a30e553dbda2928913e97869dac
MD5 checksum: 4ac47fdd91bb3e74ffb88903f9aa2a2f
MD5 checksum: 1ac2effcfa957fba33364f15a0e6a0ad
MD5 checksum: 9fa4049d37577c6bf84b6c3b618a3cf7
MD5 checksum: 09e08e0912fb30238c888aa95f2ea5a2
MD5 checksum: 6d4ad26d19cf6309369c59279d243c2f
MD5 checksum: b553448be9a6b872d2c38a606476b154
PowerPC architecture:
MD5 checksum: 7737f33dab4073f2f068675d0290f2e2
MD5 checksum: 018fcbba3194cbf39617c17d769390ac
MD5 checksum: 301d0bb507a617baeede970249eaad65
MD5 checksum: 47a36a1dcdcf10b1ff5781f3a433eba7
MD5 checksum: 80b640aa7d99456cb0fe394a25a9e36b
MD5 checksum: 9c44c79bf5c8767e3d144c6b9521b925
MD5 checksum: 359dc2ec51ec194da9ad5f7fd808ccc4
Sun Sparc architecture:
MD5 checksum: e63563d43a5e7e016e21c44b80ae530b
MD5 checksum: 32dd22813fe5db4e77ff9d0bc8df74ca
MD5 checksum: 648c72da9cd496f265c8a8426fa47516
MD5 checksum: c664c5e1b2fd9d2a3d856130f7750c70
MD5 checksum: 67123f10a4b04251c6922313c70102af
MD5 checksum: 895333e421ac054533b2cf3a989d2675
MD5 checksum: 7be597a2a98e985bd2f9cca65049d16f
These files will be moved into
soon.
For not yet released architectures please refer to the appropriate
directory .
--
----------------------------------------------------------------------------
apt-get: deb Debian -- Security Information stable/updates main
dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Severity
News
HOWTOs
About Us
Powered By
