CVE-2004-1453
Description
GNU glibc before certain versions allows local users to leak symbol information from setuid binaries via the LD_DEBUG environment variable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GNU glibc before certain versions allows local users to leak symbol information from setuid binaries via the LD_DEBUG environment variable.
Vulnerability
The vulnerability exists in GNU glibc versions 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10. The bug is that the LD_DEBUG environment variable is not restricted when executing a setuid program, allowing a local user to enable debugging output [1][4].
Exploitation
An attacker with local access can set the LD_DEBUG environment variable before running a setuid binary. The attacker can then observe the debugging output, which includes the list of symbols used by the program [1][4]. This requires no special privileges other than local shell access.
Impact
Successful exploitation allows a local user to gain sensitive information about the setuid binary, specifically the list of symbols and their memory locations. This information can be used to craft further attacks, such as using a trojaned library to hijack those symbols [4].
Mitigation
Patched versions are available: glibc-2.3.2-r11 and later for Gentoo [1], and updates from Red Hat (RHSA-2005-256, RHSA-2005-261) [2][3]. Users should upgrade to the latest fixed version. No known workaround exists [4].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
26cpe:2.3:a:gnu:glibc:2.0:*:*:*:*:*:*:*+ 25 more
- cpe:2.3:a:gnu:glibc:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.3.4:*:*:*:*:*:*:*
- (no CPE)range: before 2.3.4.20040619, before 2.3.3.20040420, before 2.3.2-r10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- secunia.com/advisories/12306nvdPatch
- www.securityfocus.com/bid/10963nvdPatch
- www.redhat.com/support/errata/RHSA-2005-256.htmlnvdVendor Advisory
- www.redhat.com/support/errata/RHSA-2005-261.htmlnvdVendor Advisory
- bugs.gentoo.org/show_bug.cginvd
- www.gentoo.org/security/en/glsa/glsa-200408-16.xmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/17006nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10762nvd
News mentions
0No linked articles in our index yet.