CVE-2009-2669

Name of the Vulnerable Software and Affected Versions IBM AIX versions 5.3 through 6.1

Description The issue is related to a debugging component that does not properly handle the LIB INIT DBG and LIB INIT DBG FILE environment variables. This allows local users to gain privileges by leveraging a setuid-root program to create an arbitrary root-owned file with world-writable permissions. The problem is associated with the libC.a (also known as the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1.

Recommendations For IBM AIX versions 5.3 through 6.1, consider restricting access to setuid-root programs to minimize the risk of exploitation. As a temporary workaround, avoid using the LIB INIT DBG and LIB INIT DBG FILE environment variables in sensitive operations until a patch is available.