Univention Bugzilla – Bug 33271
eglibc: Multiple issues (3.2)
Last modified: 2015-01-29 09:41:03 CET
+++ This bug was initially created as a clone of Bug #29145 +++ Incorrect error handling in addmntent helper (CVE-2011-1089) Incorrect memory handling in processing format strings (CVE-2012-3404) Incorrect memory management using alloca() (CVE-2012-3405, CVE-2012-3406) Integeroverflows in strto() (CVE-2012-3480) Stack overflow in strcoll() (CVE-2012-4424) Integer overflow in strcoll() (CVE-2012-4412) Denial of service when processing regular expressions with multibyte characters (CVE-2013-0242) Stack overflow in getaddrinfo() (CVE-2013-1914) PTR_MANGLE encrypts pointers as a countermeasure against buffer overflows. When linking statically, this mangling doesn't work correctly. The impact on UCS is negligable, since the software shipped in UCS/Debian is dynamically linked (with very few exceptions). (CVE-2013-4788) Insecure pseudotty ownership changes in pt_chown (CVE-2013-2207) Missing sanitising for path length in readdir_r() (CVE-2013-4237) Multiple integer overflows in pvalloc(), valloc() and posix_memalign/memalign/aligned_alloc() (CVE-2013-4332) Stack overflow in getaddrinfo() (CVE-2013-4357)
Stack frame overflow in getaddrinfo() for Ipv6 sockets (CVE-2013-4458)
posix_spawn_file_actions_addopen() fails to copy the path argument (CVE-2014-4043)
Directory traversal in locale-related environment variables (CVE-2014-0475)
Off-by-one in locale handling (CVE-2014-5119)
Crashes in decoding invalid code pages (IBM930, IBM933, IBM935, IBM937, IBM939, IBM1364) (CVE-2012-6656, CVE-2014-6040)
Command execution in wordexp() with WRDE_NOCMD specified (CVE-2014-7817)
Denial of service through infinite loop in getnetbyname() (CVE-2014-9402)
Buffer overflow in gethostbyname and gethostbyname2 functions (CVE-2015-0235)
(In reply to Moritz Muehlenhoff from comment #0) > Incorrect error handling in addmntent helper (CVE-2011-1089) > Incorrect memory handling in processing format strings (CVE-2012-3404) > Incorrect memory management using alloca() (CVE-2012-3405, CVE-2012-3406) > Integeroverflows in strto() (CVE-2012-3480) > Stack overflow in strcoll() (CVE-2012-4424) > Integer overflow in strcoll() (CVE-2012-4412) > Denial of service when processing regular expressions with multibyte > characters (CVE-2013-0242) > Stack overflow in getaddrinfo() (CVE-2013-1914) > PTR_MANGLE encrypts pointers as a countermeasure against buffer overflows. > When linking statically, this mangling doesn't work correctly. The impact on > UCS is negligable, since the software shipped in UCS/Debian is dynamically > linked (with very few exceptions). (CVE-2013-4788) > Insecure pseudotty ownership changes in pt_chown (CVE-2013-2207) > Missing sanitising for path length in readdir_r() (CVE-2013-4237) > Multiple integer overflows in pvalloc(), valloc() and > posix_memalign/memalign/aligned_alloc() (CVE-2013-4332) > Stack overflow in getaddrinfo() (CVE-2013-4357) (In reply to Moritz Muehlenhoff from comment #1) > Stack frame overflow in getaddrinfo() for Ipv6 sockets (CVE-2013-4458) (In reply to Moritz Muehlenhoff from comment #2) > posix_spawn_file_actions_addopen() fails to copy the path argument > (CVE-2014-4043) Moved to Bug #37644
(In reply to Moritz Muehlenhoff from comment #3) > Directory traversal in locale-related environment variables (CVE-2014-0475) (In reply to Moritz Muehlenhoff from comment #4) > Off-by-one in locale handling (CVE-2014-5119) (In reply to Moritz Muehlenhoff from comment #5) > Crashes in decoding invalid code pages (IBM930, IBM933, IBM935, IBM937, > IBM939, IBM1364) (CVE-2012-6656, CVE-2014-6040) (In reply to Moritz Muehlenhoff from comment #6) > Command execution in wordexp() with WRDE_NOCMD specified (CVE-2014-7817) (In reply to Moritz Muehlenhoff from comment #7) > Denial of service through infinite loop in getnetbyname() (CVE-2014-9402) (In reply to Janek Walkenhorst from comment #8) > Buffer overflow in gethostbyname and gethostbyname2 functions (CVE-2015-0235) Fixed with import of Debian old-lts Advisory: 2015-01-28-eglibc-3.2.yaml Tests (i386): OK
Tests (amd64): OK
OK: i386 OK: aptitude install '?source-package(eglibc)?installed' OK: dpkg-query -W libc6 # 2.11.3-4.18.201501281259 OK: zless /usr/share/doc/libc6/changelog.Debian.gz OK: ./GHOST # vulnerable → not vulnerable OK: 2015-01-28-eglibc-3.2.yaml OK: CVE-201?-* FAIL: errata-announce -V $PWD/2015-01-28-eglibc.yaml > [FAIL] version.scope: scope == version.max > version: [0]
FIXED: r57640 | Bug #33271, Bug #37047 eglibc: GHOST YAML
r57641 | Bug #33271 eglibc: GHOST YAML Also as errata3.2-3
<http://errata.univention.de/ucs/3.2/278.html>