Debian LTS: DLA-3152-1: glibc security update | LinuxSecurity.com
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3152-1                [email protected]
https://www.debian.org/lts/security/                        Helmut Grohne
October 17, 2022                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : glibc
Version        : 2.28-10+deb10u2
CVE ID         : CVE-2016-10228 CVE-2019-19126 CVE-2019-25013
                 CVE-2020-1752 CVE-2020-6096 CVE-2020-10029
                 CVE-2020-27618 CVE-2021-3326 CVE-2021-3999
                 CVE-2021-27645 CVE-2021-33574 CVE-2021-35942 
                 CVE-2022-23218 CVE-2022-23219
Debian Bug     : 856503 945250 953108 953788 961452 973914 979273 981198
                 983479 989147 990542

This update fixes a wide range of vulnerabilities. A significant portion
affects character set conversion.

CVE-2016-10228

    The iconv program in the GNU C Library when invoked with multiple
    suffixes in the destination encoding (TRANSLATE or IGNORE) along with
    the -c option, enters an infinite loop when processing invalid
    multi-byte input sequences, leading to a denial of service.

CVE-2019-19126

    On the x86-64 architecture, the GNU C Library fails to ignore the
    LD_PREFER_MAP_32BIT_EXEC environment variable during program
    execution after a security transition, allowing local attackers to
    restrict the possible mapping addresses for loaded libraries and
    thus bypass ASLR for a setuid program.

CVE-2019-25013

    The iconv feature in the GNU C Library, when processing invalid
    multi-byte input sequences in the EUC-KR encoding, may have a buffer
    over-read.

CVE-2020-10029

    The GNU C Library could overflow an on-stack buffer during range
    reduction if an input to an 80-bit long double function contains a
    non-canonical bit pattern, a seen when passing a
    0x5d414141414141410000 value to sinl on x86 targets. This is related
    to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

CVE-2020-1752

    A use-after-free vulnerability introduced in glibc was found in the
    way the tilde expansion was carried out. Directory paths containing
    an initial tilde followed by a valid username were affected by this
    issue. A local attacker could exploit this flaw by creating a
    specially crafted path that, when processed by the glob function,
    would potentially lead to arbitrary code execution.

CVE-2020-27618

    The iconv function in the GNU C Library, when processing invalid
    multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390,
    and IBM1399 encodings, fails to advance the input state, which could
    lead to an infinite loop in applications, resulting in a denial of
    service, a different vulnerability from CVE-2016-10228.

CVE-2020-6096

    An exploitable signed comparison vulnerability exists in the ARMv7
    memcpy() implementation of GNU glibc. Calling memcpy() (on ARMv7
    targets that utilize the GNU glibc implementation) with a negative
    value for the 'num' parameter results in a signed comparison
    vulnerability. If an attacker underflows the 'num' parameter to
    memcpy(), this vulnerability could lead to undefined behavior such as
    writing to out-of-bounds memory and potentially remote code
    execution.  Furthermore, this memcpy() implementation allows for
    program execution to continue in scenarios where a segmentation fault
    or crash should have occurred. The dangers occur in that subsequent
    execution and iterations of this code will be executed with this
    corrupted data.

CVE-2021-27645

    The nameserver caching daemon (nscd) in the GNU C Library, when
    processing a request for netgroup lookup, may crash due to a
    double-free, potentially resulting in degraded service or Denial of
    Service on the local system. This is related to netgroupcache.c.

CVE-2021-3326

    The iconv function in the GNU C Library, when processing invalid
    input sequences in the ISO-2022-JP-3 encoding, fails an assertion in
    the code path and aborts the program, potentially resulting in a
    denial of service.

CVE-2021-33574

    The mq_notify function in the GNU C Library has a use-after-free. It
    may use the notification thread attributes object (passed through
    its struct sigevent parameter) after it has been freed by the caller,
    leading to a denial of service (application crash) or possibly
    unspecified other impact.

CVE-2021-35942

    The wordexp function in the GNU C Library may crash or read arbitrary
    memory in parse_param (in posix/wordexp.c) when called with an
    untrusted, crafted pattern, potentially resulting in a denial of
    service or disclosure of information. This occurs because atoi was
    used but strtoul should have been used to ensure correct calculations.

CVE-2021-3999

    An off-by-one buffer overflow and underflow in getcwd() may lead to
    memory corruption when the size of the buffer is exactly 1. A local
    attacker who can control the input buffer and size passed to getcwd()
    in a setuid program could use this flaw to potentially execute
    arbitrary code and escalate their privileges on the system.

CVE-2022-23218

    The deprecated compatibility function svcunix_create in the sunrpc
    module of the GNU C Library copies its path argument on the stack
    without validating its length, which may result in a buffer overflow,
    potentially resulting in a denial of service or (if an application
    is not built with a stack protector enabled) arbitrary code execution.

CVE-2022-23219

    The deprecated compatibility function clnt_create in the sunrpc module
    of the GNU C Library copies its hostname argument on the stack without
    validating its length, which may result in a buffer overflow,
    potentially resulting in a denial of service or (if an application is
    not built with a stack protector enabled) arbitrary code execution.


For Debian 10 buster, these problems have been fixed in version
2.28-10+deb10u2.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glibc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3152-1: glibc security update

October 17, 2022
This update fixes a wide range of vulnerabilities

Summary

983479 989147 990542

This update fixes a wide range of vulnerabilities. A significant portion
affects character set conversion.

CVE-2016-10228

The iconv program in the GNU C Library when invoked with multiple
suffixes in the destination encoding (TRANSLATE or IGNORE) along with
the -c option, enters an infinite loop when processing invalid
multi-byte input sequences, leading to a denial of service.

CVE-2019-19126

On the x86-64 architecture, the GNU C Library fails to ignore the
LD_PREFER_MAP_32BIT_EXEC environment variable during program
execution after a security transition, allowing local attackers to
restrict the possible mapping addresses for loaded libraries and
thus bypass ASLR for a setuid program.

CVE-2019-25013

The iconv feature in the GNU C Library, when processing invalid
multi-byte input sequences in the EUC-KR encoding, may have a buffer
over-read.

CVE-2020-10029

The GNU C Library could overflow an on-stack buffer during range
reduction if an input to an 80-bit long double function contains a
non-canonical bit pattern, a seen when passing a
0x5d414141414141410000 value to sinl on x86 targets. This is related
to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

CVE-2020-1752

A use-after-free vulnerability introduced in glibc was found in the
way the tilde expansion was carried out. Directory paths containing
an initial tilde followed by a valid username were affected by this
issue. A local attacker could exploit this flaw by creating a
specially crafted path that, when processed by the glob function,
would potentially lead to arbitrary code execution.

CVE-2020-27618

The iconv function in the GNU C Library, when processing invalid
multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390,
and IBM1399 encodings, fails to advance the input state, which could
lead to an infinite loop in applications, resulting in a denial of
service, a different vulnerability from CVE-2016-10228.

CVE-2020-6096

An exploitable signed comparison vulnerability exists in the ARMv7
memcpy() implementation of GNU glibc. Calling memcpy() (on ARMv7
targets that utilize the GNU glibc implementation) with a negative
value for the 'num' parameter results in a signed comparison
vulnerability. If an attacker underflows the 'num' parameter to
memcpy(), this vulnerability could lead to undefined behavior such as
writing to out-of-bounds memory and potentially remote code
execution. Furthermore, this memcpy() implementation allows for
program execution to continue in scenarios where a segmentation fault
or crash should have occurred. The dangers occur in that subsequent
execution and iterations of this code will be executed with this
corrupted data.

CVE-2021-27645

The nameserver caching daemon (nscd) in the GNU C Library, when
processing a request for netgroup lookup, may crash due to a
double-free, potentially resulting in degraded service or Denial of
Service on the local system. This is related to netgroupcache.c.

CVE-2021-3326

The iconv function in the GNU C Library, when processing invalid
input sequences in the ISO-2022-JP-3 encoding, fails an assertion in
the code path and aborts the program, potentially resulting in a
denial of service.

CVE-2021-33574

The mq_notify function in the GNU C Library has a use-after-free. It
may use the notification thread attributes object (passed through
its struct sigevent parameter) after it has been freed by the caller,
leading to a denial of service (application crash) or possibly
unspecified other impact.

CVE-2021-35942

The wordexp function in the GNU C Library may crash or read arbitrary
memory in parse_param (in posix/wordexp.c) when called with an
untrusted, crafted pattern, potentially resulting in a denial of
service or disclosure of information. This occurs because atoi was
used but strtoul should have been used to ensure correct calculations.

CVE-2021-3999

An off-by-one buffer overflow and underflow in getcwd() may lead to
memory corruption when the size of the buffer is exactly 1. A local
attacker who can control the input buffer and size passed to getcwd()
in a setuid program could use this flaw to potentially execute
arbitrary code and escalate their privileges on the system.

CVE-2022-23218

The deprecated compatibility function svcunix_create in the sunrpc
module of the GNU C Library copies its path argument on the stack
without validating its length, which may result in a buffer overflow,
potentially resulting in a denial of service or (if an application
is not built with a stack protector enabled) arbitrary code execution.

CVE-2022-23219

The deprecated compatibility function clnt_create in the sunrpc module
of the GNU C Library copies its hostname argument on the stack without
validating its length, which may result in a buffer overflow,
potentially resulting in a denial of service or (if an application is
not built with a stack protector enabled) arbitrary code execution.


For Debian 10 buster, these problems have been fixed in version
2.28-10+deb10u2.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glibc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Severity
Package : glibc
Version : 2.28-10+deb10u2
CVE ID : CVE-2016-10228 CVE-2019-19126 CVE-2019-25013
Debian Bug : 856503 945250 953108 953788 961452 973914 979273 981198

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.