Bug 37644 - eglibc: Multiple issues (3.2)
eglibc: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P2 normal (vote)
: UCS 3.2-5-errata
Assigned To: Moritz Muehlenhoff
Janek Walkenhorst
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-28 17:22 CET by Janek Walkenhorst
Modified: 2015-03-25 14:04 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janek Walkenhorst univentionstaff 2015-01-28 17:22:56 CET
+++ This bug was initially created as a clone of Bug #33271 +++
Incorrect error handling in addmntent helper (CVE-2011-1089)

Incorrect memory handling in processing format strings (CVE-2012-3404)

Incorrect memory management using alloca() (CVE-2012-3405, CVE-2012-3406)

Integeroverflows in strto() (CVE-2012-3480)

Stack overflow in strcoll() (CVE-2012-4424)

Integer overflow in strcoll() (CVE-2012-4412)

Denial of service when processing regular expressions with multibyte characters (CVE-2013-0242)

Stack overflow in getaddrinfo() (CVE-2013-1914)

PTR_MANGLE encrypts pointers as a countermeasure against buffer overflows. When linking statically, this mangling doesn't work correctly. The impact on UCS is negligable, since the software shipped in UCS/Debian is dynamically linked (with very few exceptions). (CVE-2013-4788)

Insecure pseudotty ownership changes in pt_chown (CVE-2013-2207)

Missing sanitising for path length in readdir_r()  (CVE-2013-4237)

Multiple integer overflows in pvalloc(), valloc() and posix_memalign/memalign/aligned_alloc()  (CVE-2013-4332)

Stack overflow in getaddrinfo() (CVE-2013-4357)

Stack frame overflow in getaddrinfo() for Ipv6 sockets (CVE-2013-4458)

posix_spawn_file_actions_addopen() fails to copy the path argument (CVE-2014-4043)
Comment 1 Moritz Muehlenhoff univentionstaff 2015-02-06 09:06:39 CET
During high load getaddrinfo() may send DNS queries to random fds (CVE-2013-7423) (only recently assigned)
Comment 2 Moritz Muehlenhoff univentionstaff 2015-02-06 10:24:46 CET
Memory corruption in getaddrinfo() if the AI_IDN flag is used (CVE-2013-7424) (only recently assigned)
Comment 3 Moritz Muehlenhoff univentionstaff 2015-02-10 07:43:37 CET
Denial of service by passing overly long input to  getaddrinfo, getservbyname* and glob (CVE-2012-6686)
Comment 4 Moritz Muehlenhoff univentionstaff 2015-03-02 08:16:01 CET
> Incorrect error handling in addmntent helper (CVE-2011-1089)
> 
> Incorrect memory handling in processing format strings (CVE-2012-3404)

These two issues turned out to be already fixed in squeeze: They are part of the debian/patches/svn-updates.diff patch in the 2.11.3-1 upload.
Comment 5 Moritz Muehlenhoff univentionstaff 2015-03-06 13:44:49 CET
Denial of service in nss_files (CVE-2014-8121)
Comment 6 Moritz Muehlenhoff univentionstaff 2015-03-09 09:22:39 CET
(In reply to Moritz Muehlenhoff from comment #3)
> Denial of service by passing overly long input to  getaddrinfo,
> getservbyname* and glob (CVE-2012-6686)

This was rejected since it turned out to be a non-issue.
Comment 7 Moritz Muehlenhoff univentionstaff 2015-03-13 14:24:05 CET
The scanf() implementation crashes on some inputs (CVE-2011-5320) (ID only assigned yesterday)
Comment 8 Moritz Muehlenhoff univentionstaff 2015-03-23 14:07:12 CET
No backport or upstream fix exists for three issues; they have been moved to Bug 38115
Comment 9 Moritz Muehlenhoff univentionstaff 2015-03-23 14:31:45 CET
Update has been built, tests were successful.

YAML file: 2015-03-23-eglibc.yaml
Comment 10 Janek Walkenhorst univentionstaff 2015-03-24 14:45:18 CET
Tests: OK
Advisory: OK
Comment 11 Janek Walkenhorst univentionstaff 2015-03-25 14:04:30 CET
<http://errata.univention.de/ucs/3.2/309.html>