Sicherheit: Mehrere Probleme in glibc

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1427700988-30609-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:168
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : glibc
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated glibc packages fix security vulnerabilities:

Stephane Chazelas discovered that directory traversal issue in locale
handling in glibc. glibc accepts relative paths with .. components
in the LC_* and LANG variables. Together with typical OpenSSH
configurations (with suitable AcceptEnv settings in sshd_config),
this could conceivably be used to bypass ForceCommand restrictions
(or restricted shells), assuming the attacker has sufficient level
of access to a file system location on the host to create crafted
locale definitions there (CVE-2014-0475).

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where
posix_spawn_file_actions_addopen fails to copy the path argument
(glibc bz #17048) which can, in conjunction with many common memory
management techniques from an application, lead to a use after free,
or other vulnerabilities (CVE-2014-4043).

This update also fixes the following issues: x86: Disable x87 inline
functions for SSE2 math (glibc bz #16510) malloc: Fix race in free()
of fastbin chunk (glibc bz #15073)

Tavis Ormandy discovered a heap-based buffer overflow in the
transliteration module loading code. As a result, an attacker who can
supply a crafted destination character set argument to iconv-related
character conversation functions could achieve arbitrary code
execution.

This update removes support of loadable gconv transliteration
modules. Besides the security vulnerability, the module loading code
had functionality defects which prevented it from working for the
intended purpose (CVE-2014-5119).

Adhemerval Zanella Netto discovered out-of-bounds reads in additional
code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)
that can be used to crash the systems, causing a denial of service
conditions (CVE-2014-6040).

The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((...
))"
where "..." can be anything valid. The backticks in the
arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass the
WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).

The vfprintf function in stdio-common/vfprintf.c in GNU C Library
(aka glibc) 2.5, 2.12, and probably other versions does not properly
restrict the use of the alloca function when allocating the SPECS
array, which allows context-dependent attackers to bypass the
FORTIFY_SOURCE format-string protection mechanism and cause a denial
of service (crash) or possibly execute arbitrary code via a crafted
format string using positional parameters and a large number of format
specifiers (CVE-2012-3406).

The nss_dns implementation of getnetbyname could run into an infinite
loop if the DNS response contained a PTR record of an unexpected format
(CVE-2014-9402).

Also glibc lock elision (new feature in glibc 2.18) has been disabled
as it can break glibc at runtime on newer Intel hardware (due to
hardware bug)

Under certain conditions wscanf can allocate too little memory
for the to-be-scanned arguments and overflow the allocated buffer
(CVE-2015-1472).

The incorrect use of "__libc_use_alloca (newsize)" caused a
different
(and weaker) policy to be enforced which could allow a denial of
service attack (CVE-2015-1473).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1473
http://advisories.mageia.org/MGASA-2014-0314.html
http://advisories.mageia.org/MGASA-2014-0376.html
http://advisories.mageia.org/MGASA-2014-0496.html
http://advisories.mageia.org/MGASA-2015-0013.html
http://advisories.mageia.org/MGASA-2015-0072.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
4813a9b0e1c42bf56140e891d79e2353 mbs2/x86_64/glibc-2.18-10.1.mbs2.x86_64.rpm
00e7c5806f84e66faff537c7dbdd2d75
mbs2/x86_64/glibc-devel-2.18-10.1.mbs2.x86_64.rpm
befbdbd1e160b4e9228d9a2857ef470b
mbs2/x86_64/glibc-doc-2.18-10.1.mbs2.noarch.rpm
aac9ed0c364fd778af009708eccaceab
mbs2/x86_64/glibc-i18ndata-2.18-10.1.mbs2.x86_64.rpm
b6afecf4b2a18feb469935718e47c0e5
mbs2/x86_64/glibc-profile-2.18-10.1.mbs2.x86_64.rpm
b3744f2fb467493e0eac75895f6daf61
mbs2/x86_64/glibc-static-devel-2.18-10.1.mbs2.x86_64.rpm
1145e4c5b240eb61f096f7ec45767f69
mbs2/x86_64/glibc-utils-2.18-10.1.mbs2.x86_64.rpm
c09e1bc71aeaa471c72cea6828f054cf mbs2/x86_64/nscd-2.18-10.1.mbs2.x86_64.rpm
3d03bd7c7f066d36f97e5fee3db8c2b3 mbs2/SRPMS/glibc-2.18-10.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGO6TmqjQ0CJFipgRApv6AKCttgtUwlS7NqmGCqL0ift/1utqmgCfdGsR
srQv9Hgp0MxVLn0efzx6+BU=
=VrqI
-----END PGP SIGNATURE-----

------------=_1427700988-30609-1
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________

------------=_1427700988-30609-1--