Note: This is an archival copy of Security Sun Alert 200519 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000396.1.
Article ID : 1000396.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-10-30
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Solaris Runtime Linker (ld.so.1(1))

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6291547

Date of Workaround Release
28-JUN-2005

Date of Resolved Release
31-OCT-2005

Impact

Local unprivileged users may be able to gain unauthorized root access due to a security vulnerability in the Solaris runtime linker (ld.so.1(1)).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform:

  • Solaris 8 with patches 109147-31 through 109147-36 and without patch 109147-37
  • Solaris 9 with patches 112963-16 through 112963-21 and without patch 112963-22
  • Solaris 10 without patch 117461-04

x86 Platform

  • Solaris 8 with patches 109148-31 through 109148-36 and without patch 109148-37
  • Solaris 9 with patches 113986-12 through 113986-17 and without patch 113986-18
  • Solaris 10 without patch 118345-05

Note: Solaris 7 is not affected by this issue.


Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited to gain elevated privileges.


Workaround

To work around the described issue, sites running Solaris 8 or Solaris 9 can back out the relevant linker patch to a revision which is not affected using the patchrm(1M) command. If the patch cannot be backed out, the ld.so.1(1M) file from an earlier patch can be replaced on the system using the following steps as the root user:

1. Copy the ld.so.1 file from the patch onto the system as shown in the following example:

    # cp ./SUNWcsu/reloc/usr/lib/ld.so.1 /usr/lib/ld.so.1-patch

2. Create a directory entry (link) for the existing runtime linker to a new file using ln(1):

    # cd /usr/lib ; ln ld.so.1 ld.so.1.original

3. Create a directory entry (link) for the patched runtime linker copied earlier to the current runtime linker, again using ln(1):

    # cd /usr/lib ; ln ld.so.1-patch ld.so.1

4. For SPARC systems running in 64-bit mode, the runtime linker located in the patch at:

    ./SUNWcsxu/reloc/usr/lib/sparcv9/ld.so.1

will need to be copied to "/usr/lib/sparcv9". The above steps can then be repeated using the "/usr/lib/sparcv9" path instead of "/usr/lib".


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 109147-37 or later
  • Solaris 9 with patch 112963-22 or later
  • Solaris 10 with patch 117461-04 or later

x86 Platform

  • Solaris 8 with patch 109148-37 or later
  • Solaris 9 with patch 113986-18 or later
  • Solaris 10 with patch 118345-05 or later


Modification History
Date: 29-JUN-2005

Change History

  • Updated Relief/Workaround section

Date: 30-JUN-2005
  • Updated Relief/Workaround section

Date: 12-JUL-2005

12-Jul-2005:

  • Updated Relief/Workaround

Date: 13-JUL-2005
  • Updated Relief/Workaround section

Date: 15-JUL-2005
  • Updated Contributing Factors and Resolution sections

Date: 20-JUL-2005
  • Updated Contributing Factors, Relief/Workaround and Resolution sections

 


Date: 25-JUL-2005
  • Updated Contributing Factors and Resolution sections

Date: 31-OCT-2005
  • State: Resolved
  • Updated Contributing Factors and Resolution sections


References

112963-22
109147-37
117461-04
109148-37
113986-18
118345-05




Attachments
This solution has no attachment