Affecting glibc package, versions debian:10: <2.26-4 || debian:8: * || debian:9: * || debian:unstable: <2.26-4 || ubuntu:16.04: <2.23-0ubuntu10 || ubuntu:17.10: <2.26-0ubuntu2.1
In glibc 2.26 and earlier there is confusion in the usage of
realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
The vulnerability is caused by a combination of a functional change in the Linux kernel syscall API (returning relative pathnames in
getcwd()) and non-defensive function implementation in
libc (failing to process that pathname correctly). A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain root privileges.
Note: Multiple exploits exist for this vulnerability and are publicly available.
- 2017-12-31: Reported to distros list as glibc errors should be reported to distros first.
- 2018-01-01: Info distros: kernel issue should be handled first. Reported to kernel security.
- 2018-01-02: Kernel security reply: getcwd() behaviour documented in "getcwd() 3" man pages, not an issue. Only libraries need fixing.
- 2018-01-07: Final high-reliability anti-ASLR exploit for Stretch/Xenial using getdate/execl
- 2018-01-10: CVE CVE-2018-1000001 assigned.
- 2018-01-11: Publication without exploit code.
- 2018-01-12: SUSE distributes fixes: SUSE-SU-2018:0071-1
- 2018-01-16: PoC code released