[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : glibc 2.2 local vulnerability

Title: glibc 2.2 local vulnerability
Released by: Slackware
Date: 12th January 2001
Printable version: Click here
glibc-2.2 contains a local vulnerability that affects all setuid root

binaries.  Any user on affected systems will be able to read any file on

the system through a simple process:  The user sets the RESOLV_HOST_CONF

environment variable to the name of the file that they wish to read, then

runs any setuid root program that makes use of that variable.  The file is

then written to stderr.



The original BugTraq announcement can be read at the following URL:



   http://www.securityfocus.com/archive/1/155352



Users of Slackware -current are strongly urged to upgrade to the new

glibc packages in the -current branch.



=========================================================================

glibc 2.2 AVAILABLE - (a1/glibcso.tgz, d1/glibc.tgz)

=========================================================================



PACKAGE INFORMATION:

--------------------

a1/glibcso.tgz:

   This package contains the runtime libraries for glibc 2.2  All users

   of Slackware -current should upgrade this package.



d1/glibc.tgz:

   This is the full glibc 2.2 package, complete with headers and static

   libraries.  If you had previously installed this package, you need

   to upgrade it.



WHERE TO FIND THE NEW PACKAGES:

-------------------------------

All new packages can be found in the -current branch:



http://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/glibcso.tgz

http://ftp.slackware.com/pub/slackware/slackware-current/slakware/d1/glibc.tgz



MD5 SIGNATURES AND CHECKSUMS:

-----------------------------

Here are the md5sums and checksums for the packages:



   16-bit "sum" checksum:

   39060  1054   a1/glibcso.tgz

   61562 26779   d1/glibc.tgz



   128-bit MD5 message digest:

   6ea2e3fecf1a1a970f1e37b7be7c12aa  a1/glibcso.tgz

   4f1e8ef903f1d0dd675aaf0cc3926177  d1/glibc.tgz



INSTALLATION INSTRUCTIONS:

--------------------------

It is recommended that the two packages above be upgraded in single user

mode (runlevel 1).  Bring the system into runlevel 1:



   # telinit 1



Then upgrade the packages:



   # upgradepkg .tgz



Then bring the system back into multiuser mode:



   # telinit 3





Remember, it's also a good idea to backup configuration files before

upgrading packages.



- Slackware Linux Security Team

  http://www.slackware.com





+------------------------------------------------------------------------+

| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |

+------------------------------------------------------------------------+

| Send an email to majordomo@slackware.com with this text in the body of |

| the email message:                                                     |

|                                                                        |

|   unsubscribe slackware-security                                       |

|                                                                        |

| You will get a confirmation message back.  Follow the instructions to  |

| complete the unsubscription.  Do not reply to this message to          |

| unsubscribe!                                                           |

+------------------------------------------------------------------------+








(C) 1999-2000 All rights reserved.