lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1OM1jZ-0002lN-18@titan.mandriva.com>
Date: Tue, 08 Jun 2010 18:33:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:111 ] glibc


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:111
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : glibc
 Date    : June 8, 2010
 Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities was discovered and fixed in glibc:
 
 Multiple integer overflows in the strfmon implementation in
 the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow
 context-dependent attackers to cause a denial of service (memory
 consumption or application crash) via a crafted format string, as
 demonstrated by a crafted first argument to the money_format function
 in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880).
 
 Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c
 in the strfmon implementation in the GNU C Library (aka glibc or
 libc6) before 2.10.1 allows context-dependent attackers to cause a
 denial of service (application crash) via a crafted format string,
 as demonstrated by the %99999999999999999999n string, a related issue
 to CVE-2008-1391 (CVE-2009-4881).
 
 nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6)
 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the
 passwd.adjunct.byname map to entries in the passwd map, which allows
 remote attackers to obtain the encrypted passwords of NIS accounts
 by calling the getpwnam function (CVE-2010-0015).
 
 The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
 glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs,
 does not properly handle newline characters in mountpoint names, which
 allows local users to cause a denial of service (mtab corruption),
 or possibly modify mount options and gain privileges, via a crafted
 mount request (CVE-2010-0296).
 
 Integer signedness error in the elf_get_dynamic_info function
 in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or
 libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows
 user-assisted remote attackers to execute arbitrary code via a crafted
 ELF program with a negative value for a certain d_tag structure member
 in the ELF header (CVE-2010-0830).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4880
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4881
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0015
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0296
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 a6be61ab9c01b49d8367a227a98d5d2f  2008.0/i586/glibc-2.6.1-4.4mdv2008.0.i586.rpm
 7ed4b1dd662b69be4204ceb7aa773e46  2008.0/i586/glibc-devel-2.6.1-4.4mdv2008.0.i586.rpm
 3e87207fb07fe1881e89ffe8994a7700  2008.0/i586/glibc-doc-2.6.1-4.4mdv2008.0.i586.rpm
 702d0e14fd50fd4492293f61645d416a  2008.0/i586/glibc-doc-pdf-2.6.1-4.4mdv2008.0.i586.rpm
 483ed0881b3ae32c34b4d2a7f0470a0b  2008.0/i586/glibc-i18ndata-2.6.1-4.4mdv2008.0.i586.rpm
 cd07230fd5469530f02290dabad9251c  2008.0/i586/glibc-profile-2.6.1-4.4mdv2008.0.i586.rpm
 2f4a231ea0ffc50377aa2ac239be828b  2008.0/i586/glibc-static-devel-2.6.1-4.4mdv2008.0.i586.rpm
 bafc97703cec81e14a7d59a053358a6b  2008.0/i586/glibc-utils-2.6.1-4.4mdv2008.0.i586.rpm
 14bfc918f2021ecd4c44914c2088a2fd  2008.0/i586/nscd-2.6.1-4.4mdv2008.0.i586.rpm 
 dd0ab158cfbc93d3d8da2be65b27d10b  2008.0/SRPMS/glibc-2.6.1-4.4mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 1b9acf433d349ea77f92952067ff99cd  2008.0/x86_64/glibc-2.6.1-4.4mdv2008.0.x86_64.rpm
 509a91e2a81781aa709e17fc87b80976  2008.0/x86_64/glibc-devel-2.6.1-4.4mdv2008.0.x86_64.rpm
 e096abac716f5f3525976d8ea32a1aa0  2008.0/x86_64/glibc-doc-2.6.1-4.4mdv2008.0.x86_64.rpm
 3658d77c02ec8fb3a66202b9eec423ff  2008.0/x86_64/glibc-doc-pdf-2.6.1-4.4mdv2008.0.x86_64.rpm
 e9400b007ec1c381857e81755cf00539  2008.0/x86_64/glibc-i18ndata-2.6.1-4.4mdv2008.0.x86_64.rpm
 818a9b7914b502d6dce40443e6b2a514  2008.0/x86_64/glibc-profile-2.6.1-4.4mdv2008.0.x86_64.rpm
 20f70cf11c5ceaaa5a23cab5eb67668f  2008.0/x86_64/glibc-static-devel-2.6.1-4.4mdv2008.0.x86_64.rpm
 abe9a2d6610a0ef12f0adae2cb8adf7f  2008.0/x86_64/glibc-utils-2.6.1-4.4mdv2008.0.x86_64.rpm
 4b23dceb84f18a6975a80c43d5bdf26f  2008.0/x86_64/nscd-2.6.1-4.4mdv2008.0.x86_64.rpm 
 dd0ab158cfbc93d3d8da2be65b27d10b  2008.0/SRPMS/glibc-2.6.1-4.4mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 856644953ae0e7717458ae18629c4f5b  2009.0/i586/glibc-2.8-1.20080520.5.5mnb2.i586.rpm
 4e1ddbf980e6e6eb9a4102c18b831d49  2009.0/i586/glibc-devel-2.8-1.20080520.5.5mnb2.i586.rpm
 ef0bf965eafd838c64d255a9cfe315f9  2009.0/i586/glibc-doc-2.8-1.20080520.5.5mnb2.i586.rpm
 8ad0a0865c41e06e133d6f0056ee92b4  2009.0/i586/glibc-doc-pdf-2.8-1.20080520.5.5mnb2.i586.rpm
 371929293e82487ba205a0743facad4a  2009.0/i586/glibc-i18ndata-2.8-1.20080520.5.5mnb2.i586.rpm
 5848a26cc38ab67d3da83cd942da72fc  2009.0/i586/glibc-profile-2.8-1.20080520.5.5mnb2.i586.rpm
 bf4d854a749097ce82bd0265ddd25826  2009.0/i586/glibc-static-devel-2.8-1.20080520.5.5mnb2.i586.rpm
 47b38b50f8c85c80b2f5e167a1bf8d7d  2009.0/i586/glibc-utils-2.8-1.20080520.5.5mnb2.i586.rpm
 c9ee2bfeffa362374fa98661f3caf41f  2009.0/i586/nscd-2.8-1.20080520.5.5mnb2.i586.rpm 
 7d6b93e422647a2728fd0e6af507d869  2009.0/SRPMS/glibc-2.8-1.20080520.5.5mnb2.src.rpm

 Mandriva Linux 2009.0/X86_64:
 24a345f9db10bc7e0da9e68f5ec1a984  2009.0/x86_64/glibc-2.8-1.20080520.5.5mnb2.x86_64.rpm
 83a5102696f40d67d9181c4e1d082897  2009.0/x86_64/glibc-devel-2.8-1.20080520.5.5mnb2.x86_64.rpm
 0442c7560093fc53823fb5d13cd5d702  2009.0/x86_64/glibc-doc-2.8-1.20080520.5.5mnb2.x86_64.rpm
 df71ed7e7d339744288aa27dc14798bb  2009.0/x86_64/glibc-doc-pdf-2.8-1.20080520.5.5mnb2.x86_64.rpm
 8c72bcd78e84c9a3529105716ae66551  2009.0/x86_64/glibc-i18ndata-2.8-1.20080520.5.5mnb2.x86_64.rpm
 c550910a8c3fb3b3d521b409773c4089  2009.0/x86_64/glibc-profile-2.8-1.20080520.5.5mnb2.x86_64.rpm
 f5a56c0d70d67fc7b3f6fa95fea98620  2009.0/x86_64/glibc-static-devel-2.8-1.20080520.5.5mnb2.x86_64.rpm
 7f447e6eba9cae2db0bbf704847d18f4  2009.0/x86_64/glibc-utils-2.8-1.20080520.5.5mnb2.x86_64.rpm
 3972f478aa6609f469199aa06be41a0d  2009.0/x86_64/nscd-2.8-1.20080520.5.5mnb2.x86_64.rpm 
 7d6b93e422647a2728fd0e6af507d869  2009.0/SRPMS/glibc-2.8-1.20080520.5.5mnb2.src.rpm

 Mandriva Linux 2009.1:
 75599b6914505b16a4b44861a59f2e4e  2009.1/i586/glibc-2.9-0.20081113.5.1mnb2.i586.rpm
 959d7981e383eb86becc9db13cc3fdce  2009.1/i586/glibc-devel-2.9-0.20081113.5.1mnb2.i586.rpm
 18c069dfd92017cc17c8a551331a3eaf  2009.1/i586/glibc-doc-2.9-0.20081113.5.1mnb2.i586.rpm
 bd189c9f42f0ab82c51008270c7ef528  2009.1/i586/glibc-doc-pdf-2.9-0.20081113.5.1mnb2.i586.rpm
 0bf20dd082699af1cf8367d50411d7a8  2009.1/i586/glibc-i18ndata-2.9-0.20081113.5.1mnb2.i586.rpm
 aa902e55d094c1b89b4947d0d66fed7d  2009.1/i586/glibc-profile-2.9-0.20081113.5.1mnb2.i586.rpm
 d31d3539ca2ea996049003e4b727c4fa  2009.1/i586/glibc-static-devel-2.9-0.20081113.5.1mnb2.i586.rpm
 c7029e5383461998105dbfe9786d35e2  2009.1/i586/glibc-utils-2.9-0.20081113.5.1mnb2.i586.rpm
 c1390de4d47c90348a86deb3fb5fe29e  2009.1/i586/nscd-2.9-0.20081113.5.1mnb2.i586.rpm 
 b2bbbaeaccbc231398af8cb5668ecf0f  2009.1/SRPMS/glibc-2.9-0.20081113.5.1mnb2.src.rpm

 Mandriva Linux 2009.1/X86_64:
 c08cc51512927bedf87c0c2137e70d93  2009.1/x86_64/glibc-2.9-0.20081113.5.1mnb2.x86_64.rpm
 979353ee28b8e88589df6230a35b3171  2009.1/x86_64/glibc-devel-2.9-0.20081113.5.1mnb2.x86_64.rpm
 68a522d164ac4a9aca63917b8416b45d  2009.1/x86_64/glibc-doc-2.9-0.20081113.5.1mnb2.x86_64.rpm
 249f206c1f605ffe03e2c6389ea0732e  2009.1/x86_64/glibc-doc-pdf-2.9-0.20081113.5.1mnb2.x86_64.rpm
 9735ab8987c5b777863f746751a14fcf  2009.1/x86_64/glibc-i18ndata-2.9-0.20081113.5.1mnb2.x86_64.rpm
 b842de4d1b093814f4b629824882a881  2009.1/x86_64/glibc-profile-2.9-0.20081113.5.1mnb2.x86_64.rpm
 9f6956ea5db7d4973f022c0004a359e9  2009.1/x86_64/glibc-static-devel-2.9-0.20081113.5.1mnb2.x86_64.rpm
 5ca59e2341d0b68744a0c5ebfb5224be  2009.1/x86_64/glibc-utils-2.9-0.20081113.5.1mnb2.x86_64.rpm
 52c0ace264d3fca58917cae6991664bb  2009.1/x86_64/nscd-2.9-0.20081113.5.1mnb2.x86_64.rpm 
 b2bbbaeaccbc231398af8cb5668ecf0f  2009.1/SRPMS/glibc-2.9-0.20081113.5.1mnb2.src.rpm

 Corporate 4.0:
 5fd8807026249afa3f3ca01aba1f8c6a  corporate/4.0/i586/glibc-2.3.6-4.2.20060mlcs4.i586.rpm
 30844454a9e669373230c118019a1209  corporate/4.0/i586/glibc-devel-2.3.6-4.2.20060mlcs4.i586.rpm
 9d7718a14dadc1bc4373a63e7d735df4  corporate/4.0/i586/glibc-doc-2.3.6-4.2.20060mlcs4.i586.rpm
 e4b6c4f97a44fb47de07ef23182eca87  corporate/4.0/i586/glibc-doc-pdf-2.3.6-4.2.20060mlcs4.i586.rpm
 aae618bc1340785682246f41dc91b86d  corporate/4.0/i586/glibc-i18ndata-2.3.6-4.2.20060mlcs4.i586.rpm
 af9ae88eddbe60591973e119d00dccf3  corporate/4.0/i586/glibc-profile-2.3.6-4.2.20060mlcs4.i586.rpm
 f362e05c58bfe050ae0b89df80b0747d  corporate/4.0/i586/glibc-static-devel-2.3.6-4.2.20060mlcs4.i586.rpm
 b8af9c86eae73bb2db4faa8af76dd28d  corporate/4.0/i586/glibc-utils-2.3.6-4.2.20060mlcs4.i586.rpm
 051de1cbef9b89fbfa189c5dda7a6783  corporate/4.0/i586/ldconfig-2.3.6-4.2.20060mlcs4.i586.rpm
 92c884effd58089aded82c88ab1183ac  corporate/4.0/i586/nptl-devel-2.3.6-4.2.20060mlcs4.i586.rpm
 38435ceabbd01854407f7cf0eaf0ded1  corporate/4.0/i586/nscd-2.3.6-4.2.20060mlcs4.i586.rpm
 7f130bf64b8a854eb3cd795d6c27a6ac  corporate/4.0/i586/timezone-2.3.6-4.2.20060mlcs4.i586.rpm 
 2d74557f84d7c715faaaa39510ebdce1  corporate/4.0/SRPMS/glibc-2.3.6-4.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 753ee3add96c6696ca303fb2b6e3d7bb  corporate/4.0/x86_64/glibc-2.3.6-4.2.20060mlcs4.x86_64.rpm
 f780defc6098381fbe0b47361fbd1c9e  corporate/4.0/x86_64/glibc-devel-2.3.6-4.2.20060mlcs4.x86_64.rpm
 83d77ef5c9486cc3f03a2026e04c5ae1  corporate/4.0/x86_64/glibc-doc-2.3.6-4.2.20060mlcs4.x86_64.rpm
 c0454d43761010e0876c8f9fd6c8bd9b  corporate/4.0/x86_64/glibc-doc-pdf-2.3.6-4.2.20060mlcs4.x86_64.rpm
 6ca9dd63443969278c1a7290b2516166  corporate/4.0/x86_64/glibc-i18ndata-2.3.6-4.2.20060mlcs4.x86_64.rpm
 21e7b009dd600a4517eb40e821ffb491  corporate/4.0/x86_64/glibc-profile-2.3.6-4.2.20060mlcs4.x86_64.rpm
 4ed1c77efc665c569d15d92e3e2ad56e  corporate/4.0/x86_64/glibc-static-devel-2.3.6-4.2.20060mlcs4.x86_64.rpm
 6c33731b82b85db66dccdf65a84057e0  corporate/4.0/x86_64/glibc-utils-2.3.6-4.2.20060mlcs4.x86_64.rpm
 1825439f0db9148dcc6b3c4b7155f4d8  corporate/4.0/x86_64/ldconfig-2.3.6-4.2.20060mlcs4.x86_64.rpm
 33fed6b0495dfbbcd835d640a63b84ea  corporate/4.0/x86_64/nptl-devel-2.3.6-4.2.20060mlcs4.x86_64.rpm
 a9ee80992e9d89d8850aa2a41c8bb344  corporate/4.0/x86_64/nscd-2.3.6-4.2.20060mlcs4.x86_64.rpm
 bfb38484fa2d785e4062b0894b463678  corporate/4.0/x86_64/timezone-2.3.6-4.2.20060mlcs4.x86_64.rpm 
 2d74557f84d7c715faaaa39510ebdce1  corporate/4.0/SRPMS/glibc-2.3.6-4.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 78d3ec91dcb1ee5c3cd9cb99681d614b  mes5/i586/glibc-2.8-1.20080520.5.5mnb2.i586.rpm
 f13cada5b4f0e5b8a53911f9346c0299  mes5/i586/glibc-devel-2.8-1.20080520.5.5mnb2.i586.rpm
 85c457d7ad80ea72f1adf93a53c7e76f  mes5/i586/glibc-doc-2.8-1.20080520.5.5mnb2.i586.rpm
 09eddacd8c1f87e80154c816105b6d1f  mes5/i586/glibc-doc-pdf-2.8-1.20080520.5.5mnb2.i586.rpm
 33c84c7eb3590098407422745b5d49c1  mes5/i586/glibc-i18ndata-2.8-1.20080520.5.5mnb2.i586.rpm
 192a6e6ebca465866c13d8a80bc28ed6  mes5/i586/glibc-profile-2.8-1.20080520.5.5mnb2.i586.rpm
 15fc6188ab0637cae61692458a5cc55d  mes5/i586/glibc-static-devel-2.8-1.20080520.5.5mnb2.i586.rpm
 f89f43c819388fa9f6a5802d6c5645ff  mes5/i586/glibc-utils-2.8-1.20080520.5.5mnb2.i586.rpm
 3ff161e7f4a1b062ae83981583a60cf6  mes5/i586/nscd-2.8-1.20080520.5.5mnb2.i586.rpm 
 b6ca59de2297012e0a6d40c5838f719f  mes5/SRPMS/glibc-2.8-1.20080520.5.5mnb2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 b41e4dd6f0ecb9c99933285e3d2c2809  mes5/x86_64/glibc-2.8-1.20080520.5.5mnb2.x86_64.rpm
 3a0afb0eb8309641ee1f72a182477770  mes5/x86_64/glibc-devel-2.8-1.20080520.5.5mnb2.x86_64.rpm
 625474833757a289450ae3d1bb5d0a14  mes5/x86_64/glibc-doc-2.8-1.20080520.5.5mnb2.x86_64.rpm
 20f20e3a124c14bc43696aa4c0a05c8e  mes5/x86_64/glibc-doc-pdf-2.8-1.20080520.5.5mnb2.x86_64.rpm
 dc5c70046207fb4bd9ad332d042f8450  mes5/x86_64/glibc-i18ndata-2.8-1.20080520.5.5mnb2.x86_64.rpm
 e50c37ab3789c288089671b9e9d280cd  mes5/x86_64/glibc-profile-2.8-1.20080520.5.5mnb2.x86_64.rpm
 76a4270cfe2aac7bdc7dc1c335c8239d  mes5/x86_64/glibc-static-devel-2.8-1.20080520.5.5mnb2.x86_64.rpm
 09f32a6c168e9d5e7f36d9b186c97da8  mes5/x86_64/glibc-utils-2.8-1.20080520.5.5mnb2.x86_64.rpm
 fd97480329960e481a01e6f71b6687ac  mes5/x86_64/nscd-2.8-1.20080520.5.5mnb2.x86_64.rpm 
 b6ca59de2297012e0a6d40c5838f719f  mes5/SRPMS/glibc-2.8-1.20080520.5.5mnb2.src.rpm

 Multi Network Firewall 2.0:
 5b6db81692ab4e5164e8bcb14cffebab  mnf/2.0/i586/glibc-2.3.3-12.10.100mdk.i586.rpm
 d2065336a373bdbccb6465efd2fa09f2  mnf/2.0/i586/glibc-devel-2.3.3-12.10.100mdk.i586.rpm
 1192b92c4cbc757ac0a6154c41784fb8  mnf/2.0/i586/glibc-doc-2.3.3-12.10.100mdk.i586.rpm
 2c749f83fa4d6f5f7e8aea549f860905  mnf/2.0/i586/glibc-doc-pdf-2.3.3-12.10.100mdk.i586.rpm
 93e6898b74e31a357ea48aef47245e71  mnf/2.0/i586/glibc-i18ndata-2.3.3-12.10.100mdk.i586.rpm
 dc76ab0235d027ab2eb83625c99741b8  mnf/2.0/i586/glibc-profile-2.3.3-12.10.100mdk.i586.rpm
 e0e0e5b4885526772cfcb7917d099a46  mnf/2.0/i586/glibc-static-devel-2.3.3-12.10.100mdk.i586.rpm
 e947ee3c1b36fc33178c9885a5e6c308  mnf/2.0/i586/glibc-utils-2.3.3-12.10.100mdk.i586.rpm
 ad793eb1c073b608ac08120bff5c582e  mnf/2.0/i586/ldconfig-2.3.3-12.10.100mdk.i586.rpm
 b57efefd913603ca0deac06de32233e9  mnf/2.0/i586/nptl-devel-2.3.3-12.10.100mdk.i586.rpm
 9417bd9a3cf42275d8bdc1f4761397ab  mnf/2.0/i586/nscd-2.3.3-12.10.100mdk.i586.rpm
 85a9ed46d003581214b13051648289b7  mnf/2.0/i586/timezone-2.3.3-12.10.100mdk.i586.rpm 
 49ed670e6f336d49381ef9fe27c170fe  mnf/2.0/SRPMS/glibc-2.3.3-12.10.100mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMDkBMmqjQ0CJFipgRAm+4AJ9isnMfUuEozPQ7pXnllN4ZHWIqOgCeKWgz
sMpCsVrWgVEwC3ApL07K6ak=
=OT8N
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ