A couple of bugs in GNU C library 2.2 allow unpriviledged user to read restricted files and preload libraries in /lib and /usr/lib directories into SUID programs even if those libraries have not been marked as such by system administrator.
Because of a typo in glibc source RESOLV_HOST_CONF and RES_OPTIONS variables were not removed from environment for SUID/SGID programs. LD_PRELOAD variable is honoured normally even for SUID/SGID applications (but removed afterwards from environment) if it does not contain `/' characters, but there is a special check which only preloads found libraries if they have the SUID bit set. If a library has been found in /etc/ld.so.cache this check was not done though, so malicious user could preload some /lib or /usr/lib library before SUID/SGID application and e.g. create or overwrite a file he did not have permissions to. In addition to fixing these security bugs, some non-security related bugs have been fixed as well, namely RPC behaviour on unconnected UDP sockets with 2.4 kernels, alphaev6 memcpy bug causing random crashes on alphaev6. In addition, this glibc provides a temporary workaround for a bug in IBM JDK 1.1.8.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center