Sicherheit: Mangelnde Prüfung von Umgebungsvariablen in glibc

Lesezeichen hinzufügen

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2020-1a3bdfde17
2020-01-20 22:48:10.259348
-------------------------------------------------------------------------------
-

Name : glibc
Product : Fedora 31
Version : 2.30
Release : 10.fc31
URL : http://www.gnu.org/software/glibc/
Summary : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

-------------------------------------------------------------------------------
-
Update Information:

This update fixes a minor security vulnerability ([`LD_PREFER_MAP_32BIT_EXEC`
not ignored in setuid
binaries](https://bugzilla.redhat.com/show_bug.cgi?id=1774682) and addresses are
long-standing bug where missing shared objects could cause crashes due to
incorrectly handled `dlopen` failures (RHBZ#1395758). The latter fix also
causes
lazy binding failures in ELF constructors and destructors to result in process
termination (the same effect that lazy binding failures have in other
contexts),
rather than leaving the process in an inconsistent state. Furthermore, various
issues in the `utmp`/`utmpx` subsystem have been addressed. This update also
includes various minor fixes from the glibc 2.30 upstream stable release
branch.
-------------------------------------------------------------------------------
-
ChangeLog:

* Fri Jan 17 2020 Florian Weimer <fweimer@redhat.com> - 2.30-10
- Fix dynamic loader crash after dlopen failure with NODELETE (#1395758)
- Lazy binding failures during ELF constructors and destructors now always
terminate the process.
* Fri Jan 17 2020 Florian Weimer <fweimer@redhat.com> - 2.30-9
- Auto-sync with upstream branch release/2.30/master,
commit 994e529a37953a057b9e6c80afa03b03fd3724f2:
- Remove incorrect alloc_size attribute from pvalloc (swbz#25401)
- login: Use pread64 in utmp implementation
- Add nocancel version of pread64()
- login: Introduce matches_last_entry to utmp processing
- login: Acquire write lock early in pututline (swbz#24882)
- login: Add nonstring attributes to struct utmp, struct utmpx (swbz#24899)
- login: Remove double-assignment of fl.l_whence in try_file_lock
- login: pututxline could fail to overwrite existing entries (swbz#24902)
- login: Use struct flock64 in utmp (swbz#24880)
- login: Disarm timer after utmp lock acquisition (swbz#24879)
- login: Fix updwtmp, updwtmx unlocking
- login: Replace macro-based control flow with function calls in utmp
- login: Assume that _HAVE_UT_* constants are true
- login: Remove utmp backend jump tables (swbz#23518)
- misc/test-errno-linux: Handle EINVAL from quotactl
- <string.h>: Define __CORRECT_ISO_CPP_STRING_H_PROTO for Clang
(swbz#25232)
- x86: Assume --enable-cet if GCC defaults to CET (swbz#25225)
- libio: Disable vtable validation for pre-2.1 interposed handles (swbz#25203)
- S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant.
(swbz#25226)
- rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC
(CVE-2019-19126) (#1774682)
- Don't use a custom wrapper macro around __has_include (swbz#25189)
* Wed Dec 4 2019 Arjun Shankar <arjun@redhat.com> - 2.30-8
- Rebuild to fix corrupt annobin data in crti.o and crtn.o [BZ# 1779399]
* Tue Nov 19 2019 Arjun Shankar <arjun@redhat.com> - 2.30-7
- Auto-sync with upstream branch release/2.30/master,
commit 919af705eef416f4469341dfdf4ca23450f30236:
- Update Alpha libm-test-ulps
- hppa: Update libm-tests-ulps
- alpha: force old OSF1 syscalls for getegid, geteuid and getppid [BZ #24986]
- Fix RISC-V vfork build with Linux 5.3 kernel headers.
- S390: Add new s390 platform z15.
- Make tst-strftime2 and tst-strftime3 depend on locale generation
- mips: Force RWX stack for hard-float builds that can run on pre-4.8 kernels
- malloc: Fix missing accounting of top chunk in malloc_info [BZ #24026]
- Add glibc.malloc.mxfast tunable
- malloc: Various cleanups for malloc/tst-mxfast
- Base max_fast on alignment, not width, of bins (Bug 24903)
* Mon Sep 30 2019 Florian Weimer <fweimer@redhat.com> - 2.30-6
- Set the expects flags to clock_nanosleep (#1473680)
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1395758 - glibc: incomplete rollback of dynamic linker state on
linking failure
https://bugzilla.redhat.com/show_bug.cgi?id=1395758
[ 2 ] Bug #1774682 - CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not
ignored in setuid binaries [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1774682
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-1a3bdfde17' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org