The runtime linker in IBM AIX 6.1 and 7.1 and VIOS 2.2.x allows local users to create a mode-666 root-owned file, and consequently gain privileges, by setting crafted MALLOCOPTIONS and MALLOCBUCKETS environment-variable values and then executing a setuid program.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Vios | Ibm | 2.2.0.10 (including) | 2.2.0.10 (including) |
| Vios | Ibm | 2.2.0.11 (including) | 2.2.0.11 (including) |
| Vios | Ibm | 2.2.0.12 (including) | 2.2.0.12 (including) |
| Vios | Ibm | 2.2.0.13 (including) | 2.2.0.13 (including) |
| Vios | Ibm | 2.2.1.0 (including) | 2.2.1.0 (including) |
| Vios | Ibm | 2.2.1.1 (including) | 2.2.1.1 (including) |
| Vios | Ibm | 2.2.1.3 (including) | 2.2.1.3 (including) |
| Vios | Ibm | 2.2.1.4 (including) | 2.2.1.4 (including) |
| Vios | Ibm | 2.2.1.4-fp-25_sp-02 (including) | 2.2.1.4-fp-25_sp-02 (including) |
| Vios | Ibm | 2.2.1.8 (including) | 2.2.1.8 (including) |
| Vios | Ibm | 2.2.1.9 (including) | 2.2.1.9 (including) |
| Vios | Ibm | 2.2.2.0 (including) | 2.2.2.0 (including) |
| Vios | Ibm | 2.2.2.4 (including) | 2.2.2.4 (including) |
| Vios | Ibm | 2.2.2.5 (including) | 2.2.2.5 (including) |
| Vios | Ibm | 2.2.3.0 (including) | 2.2.3.0 (including) |
| Vios | Ibm | 2.2.3.2 (including) | 2.2.3.2 (including) |
| Vios | Ibm | 2.2.3.3 (including) | 2.2.3.3 (including) |
| Aix | Ibm | 6.1 (including) | 6.1 (including) |
| Aix | Ibm | 7.1 (including) | 7.1 (including) |