CVE-2017-16997

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

Published: Dec 18, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-16997
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-426

Affected Software
References

Software	From	Fixed in
gnu / glibc	2.22	2.22.x
gnu / glibc	2.20	2.20.x
gnu / glibc	2.25	2.25.x
gnu / glibc	2.19	2.19.x
gnu / glibc	2.21	2.21.x
gnu / glibc	2.26	2.26.x
gnu / glibc	2.23	2.23.x
redhat / enterprise_linux_desktop	7.0	7.0.x
redhat / enterprise_linux_workstation	7.0	7.0.x
redhat / enterprise_linux_server	7.0	7.0.x

Vulnerability Database

289,599

CVE-2017-16997