First Last Prev Next    This bug is not in your last search results.
Bug 40022 - eglibc: Multiple issues (4.1)
eglibc: Multiple issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Arvid Requate
Daniel Tröder
https://github.com/fjserna/CVE-2015-7547
:
Depends on:
Blocks: 38407
  Show dependency treegraph
 
Reported: 2015-11-18 18:31 CET by Arvid Requate
Modified: 2016-10-05 12:46 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-11-18 18:31:21 CET 
* buffer overflow in gethostbyname_r and related functions (CVE-2015-1781)


+++ This bug was initially created as a clone of Bug #38407 +++
Comment 1 Arvid Requate univentionstaff 2016-02-16 17:38:31 CET 
Upstream Debian package version 2.13-38+deb7u10 fixes these issues:

* Denial of service in nss_files (CVE-2014-8121)

* buffer overflow in gethostbyname_r and related functions (CVE-2015-1781)

* getaddrinfo, when processing AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its internal buffers, leading to a stack-based buffer overflow and arbitrary code execution. This vulnerability affects most applications which perform host name resolution using getaddrinfo, including system services (CVE-2015-7547)

* If an invalid separated time value is passed to strftime, the strftime function could crash or leak information. No affected applications are known (CVE-2015-8776)

* LD_POINTER_GUARD not ignored for SUID programs, enabling an unintended bypass of a security feature (CVE-2015-8777)

* The rarely-used hcreate and hcreate_r functions did not check the size argument properly, leading to a crash (denial of service) for certain arguments.  No impacted applications are known at this time (CVE-2015-8778)

* The catopen function contains several unbound stack allocations (stack overflows), causing it the crash the process (denial of service). No applications where this issue has a security impact are currently known (CVE-2015-8779)
Comment 2 Arvid Requate univentionstaff 2016-02-16 20:26:20 CET 
Upstream package has been imported and built including the patch from Bug 40059.
Advisory: eglibc.yaml
Comment 3 Daniel Tröder univentionstaff 2016-02-17 15:02:07 CET 
OK: advisory (white space modification in r67511)
OK: manual test:

# git clone https://github.com/fjserna/CVE-2015-7547.git
# cd CVE-2015-7547
# make

# aptitude install '?source-package(^eglibc$)~i'=2.13-38.17.201410221243
# invoke-rc.d bind9 stop
# echo "nameserver  127.0.0.1" > /etc/resolv.conf
# ./CVE-2015-7547-poc.py 

# ./CVE-2015-7547-client 
Speicherzugriffsfehler

---- upgrade ----

# ucr commit /etc/resolv.conf
# invoke-rc.d bind9 start
# univention-upgrade --ignoressh --ignoreterm
# dpkg -l libc6
libc6:amd64                   2.13-38.29.20160216
# echo "nameserver  127.0.0.1" > /etc/resolv.conf
# invoke-rc.d bind9 stop
# ./CVE-2015-7547-poc.py 

# ./CVE-2015-7547-client 
CVE-2015-7547-client: getaddrinfo: Name or service not known
Comment 4 Arvid Requate univentionstaff 2016-02-17 18:53:39 CET 
<http://errata.software-univention.de/ucs/4.1/115.html>
First Last Prev Next    This bug is not in your last search results.