[CentOS] install older version of glibc package

Peter Kjellstrom cap at nsc.liu.se
Tue Oct 26 05:34:52 EDT 2010


On Monday 25 October 2010, Peter Kjellstrom wrote:
> On Monday 25 October 2010, Sherin George wrote:
> > Hello Guys,
> >
> > Recently, I have installed some custom packaged of glibc in servers I
> > manage due to vulnerabilities. At that time, official centos packages
> > were not available. Now, I want to roll back to centos versions.
>
> Do note that this new (and probably your custom built) glibc is vulnerable
> to a new trival local root

For completeness,

Turns out that getting root with 3856 on CentOS-5 atleast isn't 
copy-n-paste-trivial. The suggested exploit using libpcprofile.so fails since 
that file comes from glibc-utils which (afaict) typically isn't installed.

That said, it seems very likely that there are other ways to exploit 3856 on 
CentOS-5 so do not in any way interpret this as "lets skip the update".

/Peter

> (so you may want to build yet another custom 
> version instead of switching back):
>
>  https://bugzilla.redhat.com/show_bug.cgi?id=cve-2010-3856
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.centos.org/pipermail/centos/attachments/20101026/d225057f/attachment.bin 


More information about the CentOS mailing list