Bug 40022

Summary: eglibc: Multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: normal    
Priority: P5 Flags: requate: Patch_Available+
Version: UCS 4.1   
Target Milestone: UCS 4.1-1-errata   
Hardware: Other   
OS: Linux   
URL: https://github.com/fjserna/CVE-2015-7547
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 38407    

Description Arvid Requate univentionstaff 2015-11-18 18:31:21 CET 
* buffer overflow in gethostbyname_r and related functions (CVE-2015-1781)


+++ This bug was initially created as a clone of Bug #38407 +++
Comment 1 Arvid Requate univentionstaff 2016-02-16 17:38:31 CET 
Upstream Debian package version 2.13-38+deb7u10 fixes these issues:

* Denial of service in nss_files (CVE-2014-8121)

* buffer overflow in gethostbyname_r and related functions (CVE-2015-1781)

* getaddrinfo, when processing AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its internal buffers, leading to a stack-based buffer overflow and arbitrary code execution. This vulnerability affects most applications which perform host name resolution using getaddrinfo, including system services (CVE-2015-7547)

* If an invalid separated time value is passed to strftime, the strftime function could crash or leak information. No affected applications are known (CVE-2015-8776)

* LD_POINTER_GUARD not ignored for SUID programs, enabling an unintended bypass of a security feature (CVE-2015-8777)

* The rarely-used hcreate and hcreate_r functions did not check the size argument properly, leading to a crash (denial of service) for certain arguments.  No impacted applications are known at this time (CVE-2015-8778)

* The catopen function contains several unbound stack allocations (stack overflows), causing it the crash the process (denial of service). No applications where this issue has a security impact are currently known (CVE-2015-8779)
Comment 2 Arvid Requate univentionstaff 2016-02-16 20:26:20 CET 
Upstream package has been imported and built including the patch from Bug 40059.
Advisory: eglibc.yaml
Comment 3 Daniel Tröder univentionstaff 2016-02-17 15:02:07 CET 
OK: advisory (white space modification in r67511)
OK: manual test:

# git clone https://github.com/fjserna/CVE-2015-7547.git
# cd CVE-2015-7547
# make

# aptitude install '?source-package(^eglibc$)~i'=2.13-38.17.201410221243
# invoke-rc.d bind9 stop
# echo "nameserver  127.0.0.1" > /etc/resolv.conf
# ./CVE-2015-7547-poc.py 

# ./CVE-2015-7547-client 
Speicherzugriffsfehler

---- upgrade ----

# ucr commit /etc/resolv.conf
# invoke-rc.d bind9 start
# univention-upgrade --ignoressh --ignoreterm
# dpkg -l libc6
libc6:amd64                   2.13-38.29.20160216
# echo "nameserver  127.0.0.1" > /etc/resolv.conf
# invoke-rc.d bind9 stop
# ./CVE-2015-7547-poc.py 

# ./CVE-2015-7547-client 
CVE-2015-7547-client: getaddrinfo: Name or service not known
Comment 4 Arvid Requate univentionstaff 2016-02-17 18:53:39 CET 
<http://errata.software-univention.de/ucs/4.1/115.html>