Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Fedora 41 glibc Security Advisory: 2025-497995b101 Critical Issues

fedora
Calendar Grey January 27, 2025
Dist Fedora Esm H88
Fedora releases patches for two key glibc security flaws, focusing on serious issues related to memory management and entropy weaknesses.
This update addresses two security vulnerabilities: * CVE-2025-0395: A buffer overflow may occur in the assert function with certain large program names and assert expressions

Summary

The glibc package contains standard libraries which are used by

multiple programs on the system. In order to save disk space and

memory, as well as to make upgrading easier, common system code is

kept in one place and shared between programs. This particular package

contains the most important sets of shared libraries: the standard C

library and the standard math library. Without these two libraries, a

Linux system will not function.

Update Information:

This update addresses two security vulnerabilities: * CVE-2025-0395: A buffer overflow may occur in the assert function with certain large program names and assert expressions. * CVE-2025-0577: getrandom, arc4random can produce predictable randomness if a multi-threaded program creates additional threads after fork. The following non-security bugs are fixed: * Compatibility with certain programs that call free(environ) is improved (however, deallocating environ remains undefined in general). * On certain non-Fedora kernels, mkstemp and other functions may not attempt to create multiple different file names and fail with EEXISTS.

Topics%20covered

Topics Covered

security advisory buffer overflow Fedora glibc predictable randomness

Change Log

* Sat Jan 25 2025 Florian Weimer - 2.40-21 - setenv/putenv: Use new upstream free(environ) workaround (#2341908) (glibc-rh2341908.patch replaces glibc-environ-malloc.patch) - Auto-sync with upstream branch release/2.40/master, commit 85668221974db44459527e04d04f77ca8f8e3115: - stdlib: Test using setenv with updated environ [BZ #32588] - malloc: obscure calloc use in tst-calloc - Hide all malloc functions from compiler [BZ #32366] * Thu Jan 23 2025 Florian Weimer - 2.40-20 - CVE-2025-0577: getrandom, arc4random can be predictable after fork (#2338960) * Thu Jan 23 2025 Florian Weimer - 2.40-19 - Apply patch to improve compatibility with environ/malloc misuse * Thu Jan 23 2025 Florian Weimer - 2.40-18 - Auto-sync with upstream branch release/2.40/master, commit 7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c: - Fix underallocation of abort_msg_s struct (CVE-2025-0395) - Fix missing randomness in __gen_tempname (bug 32214)

References


[ 1 ] Bug #2338960 - glibc: getrandom, arc4random can return predictable data after fork (CVE-2025-0577) https://bugzilla.redhat.com/show_bug.cgi?id=2338960 [ 2 ] Bug #2341631 - CVE-2025-0395 glibc: buffer overflow in the GNU C Library's assert() [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2341631 [ 3 ] Bug #2341853 - CVE-2025-0577 glibc: vDSO getrandom acceleration may return predictable randomness [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2341853

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-497995b101' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: glibc
Product: Fedora 41
Version: 2.40
Release: 21.fc41
URL: http://www.gnu.org/software/glibc/
Summary: The GNU libc libraries

Topics%20covered

Topics Covered

security advisory buffer overflow Fedora glibc predictable randomness

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here