>Number:         10983
>Category:       pkg
>Synopsis:       suse linux packages need to be verified for glibc locale vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 10 13:35:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        N/A
>Organization:

		David/absolute
				       -- www.netbsd.org: No hype required --
>Environment:
	
System: NetBSD odysseus.mono.org 1.5_ALPHA2 NetBSD 1.5_ALPHA2 (_ODYSSEUS_) #0: Fri Sep 8 19:16:39 BST 2000 root@odysseus.mono.org:/home/netbsd/src/sys/arch/i386/compile/_ODYSSEUS_ i386


>Description:
	Virtually all current linux systems have been hit by a vulnerability
	in glibc locale handling that can allow root breakin by crafting
	locale files for certain setuid binaries.

	The suse_linux emulation libraries in pkgsrc almost certainly contain
	the same bug, which could allow a setuid linux binary to be used to
	break into a NetBSD box. As far as I know no such binaries are
	installed by pkgsrc, but people may rely on pkgsrc emulation for
	other linux binaries.

>How-To-Repeat:
	Install pkgsrc linux emulation binaries and appropriate setuid linux
	binary.
>Fix:
	Ensure pkgsrc contains latest suse linux glibc library
>Release-Note:
>Audit-Trail:
>Unformatted: