CVE-2023-4911: glibc: Looney Tunables: buffer overflow in ld.so leading to privilege escalation¶
Summary¶
As described by Red Hat and in CVE-2023-4911:
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES
environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES
environment variables when launching binaries with SUID permission to execute code with elevated privileges.
More detail is available in the public disclosure by Qualys, the team who discovered the issue.
Public disclosure date: October 3, 2023
EL9¶
Mitigated in version: 2.34-60.el9_2.security.0.2
available October 3, 2023
Fixed in version: glibc-2.34-60.el9_2.7
available October 5, 2023
Besides the upstream fix, we also retained the mitigation in the Security SIG package of glibc.
EL8¶
Fixed in version: glibc-0:2.28-225.el8_8.6
available October 5, 2023
Errata: RLSA-2023:5455 issued October 7, 2023