Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in glibc
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in glibc
ID: USN-1396-1
Distribution: Ubuntu
Plattformen: Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10
Datum: Fr, 9. März 2012, 23:03
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864
Applikationen: GNU C library

Originalnachricht


--===============0898293134731008097==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="k+w/mQv8wyuph6w0"
Content-Disposition: inline


--k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-1396-1
March 09, 2012

eglibc, glibc vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Multiple vulnerabilities were discovered and fixed in the GNU C Library.

Software Description:
- eglibc: Embedded GNU C Library: sources
- glibc: GNU C Library: Documentation

Details:

It was discovered that the GNU C Library did not properly handle
integer overflows in the timezone handling code. An attacker could use
this to possibly execute arbitrary code by convincing an application
to load a maliciously constructed tzfile. (CVE-2009-5029)

It was discovered that the GNU C Library did not properly handle
passwd.adjunct.byname map entries in the Network Information Service
(NIS) code in the name service caching daemon (nscd). An attacker
could use this to obtain the encrypted passwords of NIS accounts.
This issue only affected Ubuntu 8.04 LTS. (CVE-2010-0015)

Chris Evans reported that the GNU C Library did not properly
calculate the amount of memory to allocate in the fnmatch() code. An
attacker could use this to cause a denial of service or possibly
execute arbitrary code via a maliciously crafted UTF-8 string.
This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu
10.10. (CVE-2011-1071)

Tomas Hoger reported that an additional integer overflow was possible
in the GNU C Library fnmatch() code. An attacker could use this to
cause a denial of service via a maliciously crafted UTF-8 string. This
issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10
and Ubuntu 11.04. (CVE-2011-1659)

Dan Rosenberg discovered that the addmntent() function in the GNU C
Library did not report an error status for failed attempts to write to
the /etc/mtab file. This could allow an attacker to corrupt /etc/mtab,
possibly causing a denial of service or otherwise manipulate mount
options. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS,
Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1089)

Harald van Dijk discovered that the locale program included with the
GNU C library did not properly quote its output. This could allow a
local attacker to possibly execute arbitrary code using a crafted
localization string that was evaluated in a shell script. This
issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu
10.10. (CVE-2011-1095)

It was discovered that the GNU C library loader expanded the
$ORIGIN dynamic string token when RPATH is composed entirely of this
token. This could allow an attacker to gain privilege via a setuid
program that had this RPATH value. (CVE-2011-1658)

It was discovered that the GNU C library implementation of memcpy
optimized for Supplemental Streaming SIMD Extensions 3 (SSSE3)
contained a possible integer overflow. An attacker could use this to
cause a denial of service or possibly execute arbitrary code. This
issue only affected Ubuntu 10.04 LTS. (CVE-2011-2702)

John Zimmerman discovered that the Remote Procedure Call (RPC)
implementation in the GNU C Library did not properly handle large
numbers of connections. This could allow a remote attacker to cause
a denial of service. (CVE-2011-4609)

It was discovered that the GNU C Library vfprintf() implementation
contained a possible integer overflow in the format string protection
code offered by FORTIFY_SOURCE. An attacker could use this flaw in
conjunction with a format string vulnerability to bypass the format
string protection and possibly execute arbitrary code. (CVE-2012-0864)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
libc6 2.13-20ubuntu5.1

Ubuntu 11.04:
libc6 2.13-0ubuntu13.1

Ubuntu 10.10:
libc-bin 2.12.1-0ubuntu10.4
libc6 2.12.1-0ubuntu10.4

Ubuntu 10.04 LTS:
libc-bin 2.11.1-0ubuntu7.10
libc6 2.11.1-0ubuntu7.10

Ubuntu 8.04 LTS:
libc6 2.7-10ubuntu8.1

After a standard system update you need to restart all services or
reboot your computer to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1396-1
CVE-2009-5029, CVE-2010-0015, CVE-2011-1071, CVE-2011-1089,
CVE-2011-1095, CVE-2011-1658, CVE-2011-1659, CVE-2011-2702,
CVE-2011-4609, CVE-2012-0864

Package Information:
https://launchpad.net/ubuntu/+source/eglibc/2.13-20ubuntu5.1
https://launchpad.net/ubuntu/+source/eglibc/2.13-0ubuntu13.1
https://launchpad.net/ubuntu/+source/eglibc/2.12.1-0ubuntu10.4
https://launchpad.net/ubuntu/+source/eglibc/2.11.1-0ubuntu7.10
https://launchpad.net/ubuntu/+source/glibc/2.7-10ubuntu8.1


--k+w/mQv8wyuph6w0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPWkxGAAoJEC8Jno0AXoH0MIQP+wS9bSmspith+4zu8W18eggn
1/HzHTpcujj4zefZycGstIQjKjhHpmrznj+3kuriPmJ5BRVYipRU+NUfZBCLJKP5
yk33zTPJYFI7ugK/twAg0Zk8n8Af1WOfX8EDr8ReBZXZ46X75zSBDLrC5GV+MiSq
VTQA1DhFcLkrwi/8OzALCv/2gn8p7zVNKHyp6GmtcHyrnYFWxvuI1hqTj9ZUaA8/
gB/zWzmA5JeKOKpu9V3yF7HIuayv8psyNZhUb+tut8A9iAcaJW5HTo79972Q7DBA
2lhBEiEtUkZosFcT5n49kYjdMNJjz37ycgDSLgmxtGEnCrshM3bKVBe0cVRzxyjS
XY3a2dc7Xch9rAo475HJEdRPWu9bZ69rNiiVDFsHxhTPC5vJXP0JOLjPufXu8WUl
1voYF1aXTefSwuGGcpZQbjgr12AVph7Y+pyN5ss6jfnWiBo1zj+YdalX9uTDGFXD
wsJ743St2mLn6BbHlo0zwv6tmYS8SsM51/aLOn1MVZXLoa08f5yZMnovkjb3Pvzm
JSKeiNLr3pwo25uvhv8nsNPzmuS4zvcwf2iZC1kJCD8u3JdQTslt2pcgg4OOYXPO
RIbZFphzE9AlCST5zHHeJb319M10EHHmVq11Wg6nu55BsEYB7Uvm4MIw3uxso5Ih
O1sb2iGSe5LgVF0Ab6/p
=5uh1
-----END PGP SIGNATURE-----

--k+w/mQv8wyuph6w0--


--===============0898293134731008097==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============0898293134731008097==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung