Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-165-1 eglibc

Debian Security Advisory

DLA-165-1 eglibc -- LTS security update

Date Reported:

06 Mar 2015

Affected Packages:

eglibc

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 553206, Bug 681473, Bug 681888, Bug 684889, Bug 687530, Bug 689423, Bug 699399, Bug 704623.
In Mitre's CVE dictionary: CVE-2012-3405, CVE-2012-3406, CVE-2012-3480, CVE-2012-4412, CVE-2012-4424, CVE-2013-0242, CVE-2013-1914, CVE-2013-4237, CVE-2013-4332, CVE-2013-4357, CVE-2013-4458, CVE-2013-4788, CVE-2013-7423, CVE-2013-7424, CVE-2014-4043, CVE-2015-1472, CVE-2015-1473.

More information:

Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library.

• #553206, CVE-2015-1472, CVE-2015-1473

  The scanf family of functions do not properly limit stack allocation, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code.

• CVE-2012-3405

  The printf family of functions do not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service.

• CVE-2012-3406

  The printf family of functions do not properly limit stack allocation, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string.

• CVE-2012-3480

  Multiple integer overflows in the strtod, strtof, strtold, strtod_l, and other related functions allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.

• CVE-2012-4412

  Integer overflow in the strcoll and wcscoll functions allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.

• CVE-2012-4424

  Stack-based buffer overflow in the strcoll and wcscoll functions allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.

• CVE-2013-0242

  Buffer overflow in the extend_buffers function in the regular expression matcher allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.

• CVE-2013-1914, CVE-2013-4458

  Stack-based buffer overflow in the getaddrinfo function allows remote attackers to cause a denial of service (crash) via a hostname or IP address that triggers a large number of domain conversion results.

• CVE-2013-4237

  readdir_r allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a malicious NTFS image or CIFS service.

• CVE-2013-4332

  Multiple integer overflows in malloc/malloc.c allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the pvalloc, valloc, posix_memalign, memalign, or aligned_alloc functions.

• CVE-2013-4357

  The getaliasbyname, getaliasbyname_r, getaddrinfo, getservbyname, getservbyname_r, getservbyport, getservbyport_r, and glob functions do not properly limit stack allocation, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code.

• CVE-2013-4788

  When the GNU C library is statically linked into an executable, the PTR_MANGLE implementation does not initialize the random value for the pointer guard, so that various hardening mechanisms are not effective.

• CVE-2013-7423

  The send_dg function in resolv/res_send.c does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.

• CVE-2013-7424

  The getaddrinfo function may attempt to free an invalid pointer when handling IDNs (Internationalised Domain Names), which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code.

• CVE-2014-4043

  The posix_spawn_file_actions_addopen function does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.

For the oldstable distribution (squeeze), these problems have been fixed in version 2.11.3-4+deb6u5.

For the stable distribution (wheezy), these problems were fixed in version 2.13-38+deb7u8 or earlier.