whatever happened with glibc bug?

"J. Jones" at darkside.dynup.net "J. Jones" at darkside.dynup.net
Mon Nov 27 11:36:01 PST 2000


There were two patches that I was aware of, never officially released
though.  Most distro's made patches off the cvs version that the updates
were applied to.  Best place to get them =
ftp://ftp.freesoftware.com/pub/slackware/slackware-7.1/source/d/glibc/

These patches fixed one locale hole, but a _local_ user can still exploit
it, and su is still exploitable after these patches.

AFAIK, glibc 2.2 corrects at _least_ these holes.  I found it quite
disturbing that simply changing the language, and setting a few tricky
environment variables, my box could be rooted.  These particular bugs in
glibc 2.1.3 were responsible for a _large_ amount of exploits in other
packages (syslogd for one).

If you are looking for a good linux security mailing list, you _must_ try
securityportal.com's linux-security mailing list.  I have not found one
faster or more thourough.

mail to linux-security at listserv.securityportal.com subject subscribe

Jeremy



Hi,

Remember the glibc bug(s) announced beginning of September? I was just
curious whether or not there were any patches to be applied... Maybe it
was on the list? If so, I missed it.

Since then I have reinstalled OpenLinux 2.4 on some spare HD space just
so I can keep up with their security announcements. I figure I can get
their patched source RPMs, see what they did to fix it, and try to
figure out how to apply it to LFS! =) Really though, I don't know if it's
worth it...

Any thoughts out there..?

--
Ta,
Jeff






More information about the lfs-security mailing list