CVE-2010-3847

NameCVE-2010-3847
Descriptionelf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2122-1, DSA-2122-2
Debian Bugs600667

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)buster2.28-10+deb10u1fixed
buster (security)2.28-10+deb10u2fixed
bullseye2.31-13+deb11u8fixed
bullseye (security)2.31-13+deb11u9fixed
bookworm2.36-9+deb12u4fixed
bookworm (security)2.36-9+deb12u6fixed
sid, trixie2.37-18fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
eglibcsource(unstable)2.11.2-8600667
glibcsourcelenny2.7-18lenny7DSA-2122-2
glibcsource(unstable)2.11.2-8

Search for package or bug name: Reporting problems