Yellow Dog Linux Security Announcement -------------------------------------- Package: glibc Issue Date: September 26, 2000 Update Date: September 26, 2000 Priority: high Advisory ID: YDU-20000926-1 1. Topic: Security problems in glibc were found that could allow local users to gain root access. 2. Problem: "The dynamic linker ld.so uses several environment variables like LD_PRELOAD and LD_LIBRARY_PATH to load additional libraries or modify the library search path. It is unsafe to accept arbitrary user specified values of these variables when executing setuid applications, so ld.so handles them specially in setuid programs and also removes them from the environment. One of the discovered bugs causes these variables not to be removed from the environment under certain circumstances. This does not cause any threat to setuid application themselves, but it could be exploited if a setuid application does not either drop privileges or clean up its environment prior to executing other programs. A number of additional bugs have been found in glibc locale and internationalization security checks." (from Red Hat errata advisory) 3. Solution: a) Updating via yup... We suggest that you use the Yellow Dog Update Program (yup) to keep your system up-to-date. The following command will automatically retrieve and install the fixed version of glibc onto your system: yup update glibc yup update glibc-devel yup update glibc-profile yup update nscd b) Updating manually... The update can also be retrieved manually from our ftp site below along with the rpm command that should be used to install the update. ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/champion-1.2/ppc/RPMS/ glibc-2.1.3-15f.ppc.rpm glibc-devel-2.1.3-15f.ppc.rpm glibc-profile-2.1.3-15f.ppc.rpm nscd-2.1.3-15f.ppc.rpm rpm -Fvh *-2.1.3-15f.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- 7bf4e480d16ec6b922e51e051627e84f RPMS/glibc-2.1.3-15f.ppc.rpm 50d9b472da7ab9cb211e34c813d00288 RPMS/glibc-devel-2.1.3-15f.ppc.rpm cdd33e9b0259a6072cff5f62dfff33a2 RPMS/glibc-profile-2.1.3-15f.ppc.rpm 2ed0f6b48cb753189efd1bc2c77041f9 RPMS/nscd-2.1.3-15f.ppc.rpm 6b7bd7bc7ebeb08180c50c4f39bb9a3a SRPMS/glibc-2.1.3-15f.src.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more information. For information regarding the usage of yup, the Yellow Dog Update Program, see http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml