------------------------------------------------------------------------- Debian LTS Advisory DLA-3152-1 [email protected] https://www.debian.org/lts/security/ Helmut Grohne October 17, 2022 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : glibc Version : 2.28-10+deb10u2 CVE ID : CVE-2016-10228 CVE-2019-19126 CVE-2019-25013 CVE-2020-1752 CVE-2020-6096 CVE-2020-10029 CVE-2020-27618 CVE-2021-3326 CVE-2021-3999 CVE-2021-27645 CVE-2021-33574 CVE-2021-35942 CVE-2022-23218 CVE-2022-23219 Debian Bug : 856503 945250 953108 953788 961452 973914 979273 981198 983479 989147 990542 This update fixes a wide range of vulnerabilities. A significant portion affects character set conversion. CVE-2016-10228 The iconv program in the GNU C Library when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. CVE-2019-19126 On the x86-64 architecture, the GNU C Library fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. CVE-2019-25013 The iconv feature in the GNU C Library, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. CVE-2020-10029 The GNU C Library could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. CVE-2020-1752 A use-after-free vulnerability introduced in glibc was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. CVE-2020-27618 The iconv function in the GNU C Library, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. CVE-2020-6096 An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. CVE-2021-27645 The nameserver caching daemon (nscd) in the GNU C Library, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c. CVE-2021-3326 The iconv function in the GNU C Library, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. CVE-2021-33574 The mq_notify function in the GNU C Library has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. CVE-2021-35942 The wordexp function in the GNU C Library may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations. CVE-2021-3999 An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system. CVE-2022-23218 The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. CVE-2022-23219 The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. For Debian 10 buster, these problems have been fixed in version 2.28-10+deb10u2. We recommend that you upgrade your glibc packages. For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Debian LTS: DLA-3152-1: glibc security update
October 17, 2022
This update fixes a wide range of vulnerabilities
Summary
983479 989147 990542
This update fixes a wide range of vulnerabilities. A significant portion
affects character set conversion.
CVE-2016-10228
The iconv program in the GNU C Library when invoked with multiple
suffixes in the destination encoding (TRANSLATE or IGNORE) along with
the -c option, enters an infinite loop when processing invalid
multi-byte input sequences, leading to a denial of service.
CVE-2019-19126
On the x86-64 architecture, the GNU C Library fails to ignore the
LD_PREFER_MAP_32BIT_EXEC environment variable during program
execution after a security transition, allowing local attackers to
restrict the possible mapping addresses for loaded libraries and
thus bypass ASLR for a setuid program.
CVE-2019-25013
The iconv feature in the GNU C Library, when processing invalid
multi-byte input sequences in the EUC-KR encoding, may have a buffer
over-read.
CVE-2020-10029
The GNU C Library could overflow an on-stack buffer during range
reduction if an input to an 80-bit long double function contains a
non-canonical bit pattern, a seen when passing a
0x5d414141414141410000 value to sinl on x86 targets. This is related
to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.
CVE-2020-1752
A use-after-free vulnerability introduced in glibc was found in the
way the tilde expansion was carried out. Directory paths containing
an initial tilde followed by a valid username were affected by this
issue. A local attacker could exploit this flaw by creating a
specially crafted path that, when processed by the glob function,
would potentially lead to arbitrary code execution.
CVE-2020-27618
The iconv function in the GNU C Library, when processing invalid
multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390,
and IBM1399 encodings, fails to advance the input state, which could
lead to an infinite loop in applications, resulting in a denial of
service, a different vulnerability from CVE-2016-10228.
CVE-2020-6096
An exploitable signed comparison vulnerability exists in the ARMv7
memcpy() implementation of GNU glibc. Calling memcpy() (on ARMv7
targets that utilize the GNU glibc implementation) with a negative
value for the 'num' parameter results in a signed comparison
vulnerability. If an attacker underflows the 'num' parameter to
memcpy(), this vulnerability could lead to undefined behavior such as
writing to out-of-bounds memory and potentially remote code
execution. Furthermore, this memcpy() implementation allows for
program execution to continue in scenarios where a segmentation fault
or crash should have occurred. The dangers occur in that subsequent
execution and iterations of this code will be executed with this
corrupted data.
CVE-2021-27645
The nameserver caching daemon (nscd) in the GNU C Library, when
processing a request for netgroup lookup, may crash due to a
double-free, potentially resulting in degraded service or Denial of
Service on the local system. This is related to netgroupcache.c.
CVE-2021-3326
The iconv function in the GNU C Library, when processing invalid
input sequences in the ISO-2022-JP-3 encoding, fails an assertion in
the code path and aborts the program, potentially resulting in a
denial of service.
CVE-2021-33574
The mq_notify function in the GNU C Library has a use-after-free. It
may use the notification thread attributes object (passed through
its struct sigevent parameter) after it has been freed by the caller,
leading to a denial of service (application crash) or possibly
unspecified other impact.
CVE-2021-35942
The wordexp function in the GNU C Library may crash or read arbitrary
memory in parse_param (in posix/wordexp.c) when called with an
untrusted, crafted pattern, potentially resulting in a denial of
service or disclosure of information. This occurs because atoi was
used but strtoul should have been used to ensure correct calculations.
CVE-2021-3999
An off-by-one buffer overflow and underflow in getcwd() may lead to
memory corruption when the size of the buffer is exactly 1. A local
attacker who can control the input buffer and size passed to getcwd()
in a setuid program could use this flaw to potentially execute
arbitrary code and escalate their privileges on the system.
CVE-2022-23218
The deprecated compatibility function svcunix_create in the sunrpc
module of the GNU C Library copies its path argument on the stack
without validating its length, which may result in a buffer overflow,
potentially resulting in a denial of service or (if an application
is not built with a stack protector enabled) arbitrary code execution.
CVE-2022-23219
The deprecated compatibility function clnt_create in the sunrpc module
of the GNU C Library copies its hostname argument on the stack without
validating its length, which may result in a buffer overflow,
potentially resulting in a denial of service or (if an application is
not built with a stack protector enabled) arbitrary code execution.
For Debian 10 buster, these problems have been fixed in version
2.28-10+deb10u2.
We recommend that you upgrade your glibc packages.
For the detailed security status of glibc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glibc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Severity
Package : glibc
Version : 2.28-10+deb10u2
CVE ID : CVE-2016-10228 CVE-2019-19126 CVE-2019-25013
Debian Bug : 856503 945250 953108 953788 961452 973914 979273 981198
News
HOWTOs
Features
About Us
Powered By
