CVE-2017-1000366
Publication date 19 June 2017
Last updated 24 July 2024
Ubuntu priority
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
From the Ubuntu Security Team
It was discovered that the GNU C library did not properly handle memory when processing environment variables for setuid programs. A local attacker could use this in combination with another vulnerability to gain administrative privileges.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| eglibc | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 2.19-0ubuntu6.13
|
|
| glibc | ||
| 16.04 LTS xenial |
Fixed 2.23-0ubuntu9
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3323-1
- GNU C Library vulnerability
- 19 June 2017
- USN-3323-2
- GNU C Library vulnerability
- 29 June 2017