elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 up to and including 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
gnu glibc 2.22 |
||
gnu glibc 2.25 |
||
gnu glibc 2.19 |
||
gnu glibc 2.20 |
||
gnu glibc 2.21 |
||
gnu glibc 2.23 |
||
gnu glibc 2.26 |
||
redhat enterprise linux workstation 7.0 |
||
redhat enterprise linux desktop 7.0 |
||
redhat enterprise linux server 7.0 |