You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa glibc

Sigurnosni nedostaci programskog paketa glibc

——————————————————————————–
Fedora Update Notification
FEDORA-2014-9830
2014-08-28 14:39:04
——————————————————————————–

Name : glibc
Product : Fedora 19
Version : 2.17
Release : 21.fc19
URL : http://www.gnu.org/software/glibc/
Summary : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

——————————————————————————–
Update Information:

An off-by-one heap-based buffer overflow flaw was found in glibc’s internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application. (CVE-2014-5119).

A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application. (CVE-2014-0475)
——————————————————————————–
ChangeLog:

* Wed Aug 27 2014 Carlos O’Donell <carlos@redhat.com> – 2.17-21
– Remove gconv transliteration loadable modules support (CVE-2014-5119,
– _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,
* Fri Nov 8 2013 Carlos O’Donell <carlos@redhat.com> – 2.17-20
– Depend on systemd instead of systemd-units (#1028430).
* Mon Oct 28 2013 Carlos O’Donell <carlos@redhat.com> – 2.17-19
– Add support for installing the dynmic loader in an alternate location.
This is required for correct AArch64 support (#950093).
* Sun Sep 22 2013 Carlos O’Donell <carlos@redhat.com> – 2.17-18
– Fix CVE-2013-4788: Static applications now support pointer mangling.
Existing static applications must be recompiled (#985625).
* Sun Sep 22 2013 Carlos O’Donell <carlos@redhat.com> – 2.17-17
– Fix indirect function support to avoid calling optimized routines
for the wrong hardware (#985342).
* Wed Sep 18 2013 Patsy Franklin <pfrankli@redhat.com> – 2.17-16
– Fix conditional requiring specific binutils for s390/s390x.
* Mon Sep 16 2013 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.17-15
– Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
* Mon Aug 26 2013 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.17-14
– Add systemd to BuildRequires (#999924).
– Expand sizes of some types in strcoll (#855399, CVE-2012-4424).
– Remove non-ELF support in rtkaio.
– Avoid inlining of cleanup function for kaio_suspend.
– Fix tst-aiod2 and tst-aiod3 test failures (#970865).
* Mon Aug 19 2013 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.17-13
– Fix stack overflow in getaddrinfo with many results (#947892, CVE-2013-1914).
* Mon Aug 19 2013 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.17-12
– Disable pt_chown (#984829, CVE-2013-2207).
– Fix strcoll flaws (#855399, CVE-2012-4412, CVE-2012-4424).
– Fix buffer overflow in readdir_r (#995841, CVE-2013-4237).
* Tue Jun 25 2013 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.17-11
– Fix libm performance regression due to set/restore rounding mode (#977887).
* Tue Jun 25 2013 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.17-10
– Preserve errno across _PC_CHOWN_RESTRICTED call on XFS (#977870).
– Remove PIPE_BUF Linux-specific code (#977872).
– Fix FPE in memusagestat when malloc utilization is zero (#977874).
– Accept leading and trailing spaces in getdate input string (#977875).
* Thu Jun 20 2013 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.17-9
– Set EAI_SYSTEM only when h_errno is NETDB_INTERNAL (#958652).
* Tue Jun 4 2013 Jeff Law <law@redhat.com> – 2.17-8
– Fix ESTALE error message (#966259)
* Sun May 5 2013 Patsy Franklin <pfrankli@redhat.com> – 2.17-7
– Fix _nl_find_msg malloc failure case, and callers. (#959034).
* Tue Apr 30 2013 Patsy Franklin <pfrankli@redhat.com> – 2.17-6
– Test init_fct for NULL, not result->__init_fct, after demangling (#952799).
* Tue Apr 23 2013 Patsy Franklin <pfrankli@redhat.com> – 2.17-5
– Increase limits on xdr name and record requests (#892777).
– Consistently MANGLE/DEMANGLE init_fct, end_fct and btow_fct (#952799).
——————————————————————————–
References:

[ 1 ] Bug #1129745 – CVE-2014-5119 glibc: out-of-bounds NUL write in iconv_open [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1129745
[ 2 ] Bug #1118581 – CVE-2014-0475 glibc: directory traversal in LC_* locale handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1118581
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update glibc’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Top
More in Preporuke
Zakrpe za ranjivost u Cisco IronPort uređaju

Cisco je izdao zakrpe za otjklanjanje ranjivosti CVE-2011-4862 koja je obzanjena u sigurnosnoj preporuci izdanoj 26. siječnja 2012. Tada nisu...

Close