Debian LTS: DLA-3152-1: glibc security update
Summary
983479 989147 990542
This update fixes a wide range of vulnerabilities. A significant portion
affects character set conversion.
CVE-2016-10228
The iconv program in the GNU C Library when invoked with multiple
suffixes in the destination encoding (TRANSLATE or IGNORE) along with
the -c option, enters an infinite loop when processing invalid
multi-byte input sequences, leading to a denial of service.
CVE-2019-19126
On the x86-64 architecture, the GNU C Library fails to ignore the
LD_PREFER_MAP_32BIT_EXEC environment variable during program
execution after a security transition, allowing local attackers to
restrict the possible mapping addresses for loaded libraries and
thus bypass ASLR for a setuid program.
CVE-2019-25013
The iconv feature in the GNU C Library, when processing invalid
multi-byte input sequences in the EUC-KR encoding, may have a buffer
over-read.
CVE-2020-10029
The GNU C Library could overflow an on-stack buffer during range
reduction if an input to an 80-bit long double function contains a
non-canonical bit pattern, a seen when passing a
0x5d414141414141410000 value to sinl on x86 targets. This is related
to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-1752
A use-after-free vulnerability introduced in glibc was found in the
way the tilde expansion was carried out. Directory paths containing
an initial tilde followed by a valid username were affected by this
issue. A local attacker could exploit this flaw by creating a
specially crafted path that, when processed by the glob function,
would potentially lead to arbitrary code execution.
CVE-2020-27618
The iconv function in the GNU C Library, when processing invalid
multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390,
and IBM1399 encodings, fails to advance the input state, which could
lead to an infinite loop in applications, resulting in a denial of
service, a different vulnerability from CVE-2016-10228.
CVE-2020-6096
An exploitable signed comparison vulnerability exists in the ARMv7
memcpy() implementation of GNU glibc. Calling memcpy() (on ARMv7
targets that utilize the GNU glibc implementation) with a negative
value for the 'num' parameter results in a signed comparison
vulnerability. If an attacker underflows the 'num' parameter to
memcpy(), this vulnerability could lead to undefined behavior such as
writing to out-of-bounds memory and potentially remote code
execution. Furthermore, this memcpy() implementation allows for
program execution to continue in scenarios where a segmentation fault
or crash should have occurred. The dangers occur in that subsequent
execution and iterations of this code will be executed with this
corrupted data.
CVE-2021-27645
The nameserver caching daemon (nscd) in the GNU C Library, when
processing a request for netgroup lookup, may crash due to a
double-free, potentially resulting in degraded service or Denial of
Service on the local system. This is related to netgroupcache.c.
CVE-2021-3326
The iconv function in the GNU C Library, when processing invalid
input sequences in the ISO-2022-JP-3 encoding, fails an assertion in
the code path and aborts the program, potentially resulting in a
denial of service.
CVE-2021-33574
The mq_notify function in the GNU C Library has a use-after-free. It
may use the notification thread attributes object (passed through
its struct sigevent parameter) after it has been freed by the caller,
leading to a denial of service (application crash) or possibly
unspecified other impact.
CVE-2021-35942
The wordexp function in the GNU C Library may crash or read arbitrary
memory in parse_param (in posix/wordexp.c) when called with an
untrusted, crafted pattern, potentially resulting in a denial of
service or disclosure of information. This occurs because atoi was
used but strtoul should have been used to ensure correct calculations.
CVE-2021-3999
An off-by-one buffer overflow and underflow in getcwd() may lead to
memory corruption when the size of the buffer is exactly 1. A local
attacker who can control the input buffer and size passed to getcwd()
in a setuid program could use this flaw to potentially execute
arbitrary code and escalate their privileges on the system.
CVE-2022-23218
The deprecated compatibility function svcunix_create in the sunrpc
module of the GNU C Library copies its path argument on the stack
without validating its length, which may result in a buffer overflow,
potentially resulting in a denial of service or (if an application
is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-23219
The deprecated compatibility function clnt_create in the sunrpc module
of the GNU C Library copies its hostname argument on the stack without
validating its length, which may result in a buffer overflow,
potentially resulting in a denial of service or (if an application is
not built with a stack protector enabled) arbitrary code execution.
For Debian 10 buster, these problems have been fixed in version
2.28-10+deb10u2.
We recommend that you upgrade your glibc packages.
For the detailed security status of glibc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/glibc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
