Glibc Locale Command May Let Local Users Gain Elevated Privileges - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Glibc

Vendors: GNU [multiple authors]

Glibc Locale Command May Let Local Users Gain Elevated Privileges

SecurityTracker Alert ID: 1025286

SecurityTracker URL: http://securitytracker.com/id/1025286

CVE Reference: CVE-2011-1095 (Links to External Site)

Date: Apr 4 2011

Impact: Execution of arbitrary code via local system, User access via local system

Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes

Version(s): 2.12.1 and prior versions

Description: A vulnerability was reported in Glibc. A local user may be able to obtain elevated privileges on the target system.

The locale command does not properly escape user-supplied output. A local user with the ability to set the local environment variables of a script that performs shell evaluation of the output of the locale command may be able to cause arbitrary commands to be executed by the target script. The commands will run with the privileges of the target script.

Harald van Dijk reported this vulnerability.

Impact: A local user may be able to obtain elevated privileges on the target system.

Solution: The vendor has issued a source code fix, available at:

http://sourceware.org/git/?p=glibc.git;a=patch;h=026373745eab50a683536d950cb7e17dc98c4259

Vendor URL: www.gnu.org/software/libc/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Apr 4 2011	(Red Hat Issues Fix) Glibc Locale Command May Let Local Users Gain Elevated Privileges (bugzilla@redhat.com) Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Apr 5 2011	(Red Hat Issues Fix) Glibc Locale Command May Let Local Users Gain Elevated Privileges (bugzilla@redhat.com) Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Jul 29 2011	(VMware Issues Fix for ESX) Glibc Locale Command May Let Local Users Gain Elevated Privileges (VMware Security Announcements <security-announce@lists.vmware.com>) VMware has issued a fix for VMware ESX.
Feb 14 2012	(Red Hat Issues Fix) Glibc Locale Command May Let Local Users Gain Elevated Privileges (bugzilla@redhat.com) Red Hat has issued a fix for Red Hat Enterprise Linux 4.

Source Message Contents


[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC