{"id":"CVE-2017-16997","details":"elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.","modified":"2026-07-08T05:48:36.174229756Z","published":"2017-12-18T01:29:00.190Z","related":["SUSE-SU-2018:0074-1","openSUSE-SU-2024:10792-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","vendor_product":"redhat:enterprise_linux_desktop","extracted_events":[{"introduced":"7.0"},{"last_affected":"7.0"}],"cpes":["cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"]},{"vendor_product":"redhat:enterprise_linux_server","source":"CPE_STRING","extracted_events":[{"introduced":"7.0"},{"last_affected":"7.0"}],"cpes":["cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"]},{"vendor_product":"redhat:enterprise_linux_workstation","source":"CPE_STRING","extracted_events":[{"introduced":"7.0"},{"last_affected":"7.0"}],"cpes":["cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"]}]},"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/102228"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHBA-2019:0327"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3092"},{"type":"FIX","url":"https://bugs.debian.org/884615"},{"type":"FIX","url":"https://sourceware.org/bugzilla/show_bug.cgi?id=22625"},{"type":"FIX","url":"https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bminor/glibc","events":[{"introduced":"9a869d822025be8e43b78234997b10bf0cf9d859"},{"last_affected":"1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"}],"database_specific":{"source":"CPE_STRING","extracted_events":[{"introduced":"2.19"},{"last_affected":"2.19"},{"introduced":"2.20"},{"last_affected":"2.20"},{"introduced":"2.21"},{"last_affected":"2.21"},{"introduced":"2.22"},{"last_affected":"2.22"},{"introduced":"2.23"},{"last_affected":"2.23"},{"introduced":"2.25"},{"last_affected":"2.25"},{"introduced":"2.26"},{"last_affected":"2.26"}],"cpe":["cpe:2.3:a:gnu:glibc:2.19:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.20:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.21:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.22:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.23:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.25:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.26:*:*:*:*:*:*:*"]}}],"versions":["2.19","2.20","2.21","2.22","2.23","2.25","2.26","glibc-2.26","glibc-2.25","glibc-2.25.90","glibc-2.24","glibc-2.24.90","glibc-2.23","glibc-2.23.90","glibc-2.22","glibc-2.22.90","glibc-2.21","glibc-2.21.90","glibc-2.20","glibc-2.20.90","glibc-2.19","glibc-2.19.90"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16997.json"}},{"ranges":[{"type":"GIT","repo":"https://sourceware.org/git/glibc.git","events":[{"introduced":"9a869d822025be8e43b78234997b10bf0cf9d859"},{"last_affected":"1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"}],"database_specific":{"source":"CPE_STRING","extracted_events":[{"introduced":"2.19"},{"last_affected":"2.19"},{"introduced":"2.20"},{"last_affected":"2.20"},{"introduced":"2.21"},{"last_affected":"2.21"},{"introduced":"2.22"},{"last_affected":"2.22"},{"introduced":"2.23"},{"last_affected":"2.23"},{"introduced":"2.25"},{"last_affected":"2.25"},{"introduced":"2.26"},{"last_affected":"2.26"}],"cpe":["cpe:2.3:a:gnu:glibc:2.19:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.20:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.21:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.22:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.23:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.25:*:*:*:*:*:*:*","cpe:2.3:a:gnu:glibc:2.26:*:*:*:*:*:*:*"]}}],"versions":["2.19","2.20","2.21","2.22","2.23","2.25","2.26","glibc-2.26","glibc-2.25","glibc-2.25.90","glibc-2.24","glibc-2.24.90","glibc-2.23","glibc-2.23.90","glibc-2.22","glibc-2.22.90","glibc-2.21","glibc-2.21.90","glibc-2.20","glibc-2.20.90","glibc-2.19","glibc-2.19.90"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16997.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}