CVE-2017-1000366

Priority
Medium
Description
glibc contains a vulnerability that allows specially crafted
LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias,
potentially resulting in arbitrary code execution. Please note that
additional hardening changes have been made to glibc to prevent
manipulation of stack and heap memory but these issues are not directly
exploitable, as such they have not been given a CVE. This affects glibc
2.25 and earlier.
Ubuntu-Description
It was discovered that the GNU C library did not properly handle
memory when processing environment variables for setuid programs.
A local attacker could use this in combination with another
vulnerability to gain administrative privileges.
References
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):released (2.15-0ubuntu10.20)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.19-0ubuntu6.13)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 16.10 (Yakkety Yak):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Source: glibc (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):released (2.23-0ubuntu9)
Ubuntu 16.10 (Yakkety Yak):released (2.24-3ubuntu2.2)
Ubuntu 17.04 (Zesty Zapus):released (2.24-9ubuntu2.2)
More Information

Updated: 2017-06-29 19:14:13 UTC (commit 12835)