CVE-2017-16997

EUVD-2017-8165

18.12.2017, 01:29

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Affected Products (NVD)

Vendor	Product	Version
gnu	glibc	2.19
gnu	glibc	2.20
gnu	glibc	2.21
gnu	glibc	2.22
gnu	glibc	2.23
gnu	glibc	2.25
gnu	glibc	2.26
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_workstation	7.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

glibc

bookworm	2.36-9+deb12u8 fixed
bookworm (security)	2.36-9+deb12u7 fixed
bullseye	2.31-13+deb11u11 fixed
bullseye (security)	2.31-13+deb11u10 fixed
sid	2.40-3 fixed
trixie	2.40-3 fixed
wheezy	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

eglibc

artful	dne
bionic	dne
cosmic	dne
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
trusty	Fixed 2.19-0ubuntu6.14 released
xenial	dne
zesty	dne

glibc

artful	Fixed 2.26-0ubuntu2.1 released
bionic	not-affected
cosmic	not-affected
disco	not-affected
eoan	not-affected
focal	not-affected
groovy	not-affected
hirsute	not-affected
trusty	dne
xenial	Fixed 2.23-0ubuntu10 released
zesty	ignored

Common Weakness Enumeration

CWE-426 - Untrusted Search Path
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

References

http://www.securityfocus.com/bid/102228

https://access.redhat.com/errata/RHBA-2019:0327

https://access.redhat.com/errata/RHSA-2018:3092

https://bugs.debian.org/884615