ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.
References
Configurations
Configuration 1 (hide)
|
History
20 Jul 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jul 2023, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Jul 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Feb 2023, 04:26
Type | Values Removed | Values Added |
---|---|---|
Summary | ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so. | |
References |
|
02 Feb 2023, 17:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | CVE-2010-3856 glibc: ld.so arbitrary DSO loading via LD_AUDIT in setuid/setgid programs |
Information
Published : 2011-01-07 19:00
Updated : 2023-12-10 11:03
NVD link : CVE-2010-3856
Mitre link : CVE-2010-3856
CVE.ORG link : CVE-2010-3856
JSON object : View
Products Affected
gnu
- glibc
CWE
CWE-264
Permissions, Privileges, and Access Controls