Bug 58909 (CVE-2004-1453)

Summary: VUL-0: CVE-2004-1453: glibc: Information leak with LD_DEBUG
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1453: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: typescript

Description Ludwig Nussel 2004-08-18 00:15:24 UTC 
Gentoo has issued an advisory: 
http://www.gentoo.org/security/en/glsa/glsa-200408-16.xml 
 
"An attacker can gain the list of symbols a SUID application uses and their 
locations and can then use a trojaned library taking precendence over those 
symbols to gain information or perform further exploitation." 
 
Sounds rather weird to me.
Comment 1 Thorsten Kukuk 2004-08-18 00:53:25 UTC 
Sounds like bullshit to me. I don't need LD_DEBUG to gather this 
informations. 
And how should using a trojaned library work? You cannot preload a 
library or modify the searchpath for a suid application. 
 
And I cannot find a mail or patch which should change something in 
this area. Without more informations, there is nothing I can do.
Comment 2 Ludwig Nussel 2004-08-18 16:09:54 UTC 
I don't know more than they state in their advisory. This seems to be the 
patch they used: 
http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-libs/glibc/files/glibc-sec-hotfix-20040804.patch?rev=1.1&content-type=text/vnd.viewcvs-markup 
 
If it's bullshit then so it be. It's Gentoo you know ... ;-)
Comment 3 Thorsten Kukuk 2004-08-18 16:30:44 UTC 
The malloc part is bogus. Don't know about the second 
part, but it was never send upstream to glibc developers. 
And the patch was not made against the CVS version we are 
using, seems this is a much older version (maybe the last 
official release? I don't know).
Comment 4 Thorsten Kukuk 2004-08-18 17:30:27 UTC 
Ok, got an answer from main glibc hackers: 
 
"LD_DEBUG=all doesn't give you exact addresses of symbols 
(but LD_TRACE_PRELINKING=1 does, maybe we should turn that off for 
__libc_enable_secure and missing /etc/suid-debug). 
It only tells you which libraries' symbols are used. 
 
Andou can't LD_PRELOAD a trojaned library to a suid binary 
(unless it is in the standard paths and sgid I think) nor you can 
use LD_LIBRARY_PATH to trick it in any way." 
 
The "fix" itself is wrong.
Comment 5 Thomas Biege 2004-08-18 17:58:40 UTC 
Thorsten, 
do you think it's worth to add these two variables to the list of ignored 
variables for setuid applications (#define UNSECURE_ENVVARS) for the next 
release?
Comment 6 Thorsten Kukuk 2004-08-18 18:02:16 UTC 
No, what sense should this have?
Comment 7 Thomas Biege 2004-08-18 21:23:25 UTC 
Created attachment 22786 [details]
typescript

For the case when a setuid binary is protected by permissions 4711 and you are
not able to read the symbols (like using nm) you can get the desired
informations using LD-DEBUG=all.
Comment 8 Thomas Biege 2004-08-18 21:24:58 UTC 
It is no big deal for sure but it may be nice to have it included.
Comment 9 Marcus Meissner 2004-08-18 21:27:19 UTC 
I suggest fixing it in STABLE / upstream CVS.
Comment 10 Ludwig Nussel 2005-04-29 08:59:27 UTC 
CAN-2004-1453
Comment 11 Thomas Biege 2009-10-13 20:32:43 UTC 
CVE-2004-1453: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)