lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1YcUDs-0003jm-98@titan.mandriva.com>
Date: Mon, 30 Mar 2015 09:35:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2015:168 ] glibc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:168
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : glibc
 Date    : March 30, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated glibc packages fix security vulnerabilities:
 
 Stephane Chazelas discovered that directory traversal issue in locale
 handling in glibc.  glibc accepts relative paths with .. components
 in the LC_* and LANG variables.  Together with typical OpenSSH
 configurations (with suitable AcceptEnv settings in sshd_config),
 this could conceivably be used to bypass ForceCommand restrictions
 (or restricted shells), assuming the attacker has sufficient level
 of access to a file system location on the host to create crafted
 locale definitions there (CVE-2014-0475).
 
 David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where
 posix_spawn_file_actions_addopen fails to copy the path argument
 (glibc bz #17048) which can, in conjunction with many common memory
 management techniques from an application, lead to a use after free,
 or other vulnerabilities (CVE-2014-4043).
 
 This update also fixes the following issues: x86: Disable x87 inline
 functions for SSE2 math (glibc bz #16510) malloc: Fix race in free()
 of fastbin chunk (glibc bz #15073)
 
 Tavis Ormandy discovered a heap-based buffer overflow in the
 transliteration module loading code. As a result, an attacker who can
 supply a crafted destination character set argument to iconv-related
 character conversation functions could achieve arbitrary code
 execution.
 
 This update removes support of loadable gconv transliteration
 modules. Besides the security vulnerability, the module loading code
 had functionality defects which prevented it from working for the
 intended purpose (CVE-2014-5119).
 
 Adhemerval Zanella Netto discovered out-of-bounds reads in additional
 code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)
 that can be used to crash the systems, causing a denial of service
 conditions (CVE-2014-6040).
 
 The function wordexp() fails to properly handle the WRDE_NOCMD
 flag when processing arithmetic inputs in the form of &quot;$((... ))&quot;
 where &quot;...&quot; can be anything valid. The backticks in the arithmetic
 epxression are evaluated by in a shell even if WRDE_NOCMD forbade
 command substitution. This allows an attacker to attempt to pass
 dangerous commands via constructs of the above form, and bypass the
 WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).
 
 The vfprintf function in stdio-common/vfprintf.c in GNU C Library
 (aka glibc) 2.5, 2.12, and probably other versions does not properly
 restrict the use of the alloca function when allocating the SPECS
 array, which allows context-dependent attackers to bypass the
 FORTIFY_SOURCE format-string protection mechanism and cause a denial
 of service (crash) or possibly execute arbitrary code via a crafted
 format string using positional parameters and a large number of format
 specifiers (CVE-2012-3406).
 
 The nss_dns implementation of getnetbyname could run into an infinite
 loop if the DNS response contained a PTR record of an unexpected format
 (CVE-2014-9402).
 
 Also glibc lock elision (new feature in glibc 2.18) has been disabled
 as it can break glibc at runtime on newer Intel hardware (due to
 hardware bug)
 
 Under certain conditions wscanf can allocate too little memory
 for the to-be-scanned arguments and overflow the allocated buffer
 (CVE-2015-1472).
 
 The incorrect use of &quot;__libc_use_alloca (newsize)&quot; caused a different
 (and weaker) policy to be enforced which could allow a denial of
 service attack (CVE-2015-1473).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1473
 http://advisories.mageia.org/MGASA-2014-0314.html
 http://advisories.mageia.org/MGASA-2014-0376.html
 http://advisories.mageia.org/MGASA-2014-0496.html
 http://advisories.mageia.org/MGASA-2015-0013.html
 http://advisories.mageia.org/MGASA-2015-0072.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 2/X86_64:
 4813a9b0e1c42bf56140e891d79e2353  mbs2/x86_64/glibc-2.18-10.1.mbs2.x86_64.rpm
 00e7c5806f84e66faff537c7dbdd2d75  mbs2/x86_64/glibc-devel-2.18-10.1.mbs2.x86_64.rpm
 befbdbd1e160b4e9228d9a2857ef470b  mbs2/x86_64/glibc-doc-2.18-10.1.mbs2.noarch.rpm
 aac9ed0c364fd778af009708eccaceab  mbs2/x86_64/glibc-i18ndata-2.18-10.1.mbs2.x86_64.rpm
 b6afecf4b2a18feb469935718e47c0e5  mbs2/x86_64/glibc-profile-2.18-10.1.mbs2.x86_64.rpm
 b3744f2fb467493e0eac75895f6daf61  mbs2/x86_64/glibc-static-devel-2.18-10.1.mbs2.x86_64.rpm
 1145e4c5b240eb61f096f7ec45767f69  mbs2/x86_64/glibc-utils-2.18-10.1.mbs2.x86_64.rpm
 c09e1bc71aeaa471c72cea6828f054cf  mbs2/x86_64/nscd-2.18-10.1.mbs2.x86_64.rpm 
 3d03bd7c7f066d36f97e5fee3db8c2b3  mbs2/SRPMS/glibc-2.18-10.1.mbs2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGO6TmqjQ0CJFipgRApv6AKCttgtUwlS7NqmGCqL0ift/1utqmgCfdGsR
srQv9Hgp0MxVLn0efzx6+BU=
=VrqI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ