Ubuntu 3239-2: GNU C Library Regression

    Date21 Mar 2017
    CategoryUbuntu
    45
    Posted ByLinuxSecurity Advisories
    USN-3239-1 introduced a regression in the GNU C Library.
    ==========================================================================
    Ubuntu Security Notice USN-3239-2
    March 21, 2017
    
    eglibc, glibc regression
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 16.04 LTS
    - Ubuntu 14.04 LTS
    - Ubuntu 12.04 LTS
    
    Summary:
    
    USN-3239-1 introduced a regression in the GNU C Library.
    
    Software Description:
    - glibc: GNU C Library
    - eglibc: GNU C Library
    
    Details:
    
    USN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately,
    the fix for CVE-2015-5180 introduced an internal ABI change within
    the resolver library. This update reverts the change. We apologize
    for the inconvenience.
    
    Please note that long-running services that were restarted to compensate
    for the USN-3239-1 update may need to be restarted again.
    
    Original advisory details:
    
     It was discovered that the GNU C Library incorrectly handled the
     strxfrm() function. An attacker could use this issue to cause a denial
     of service or possibly execute arbitrary code. This issue only affected
     Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)
     
     It was discovered that an integer overflow existed in the
     _IO_wstr_overflow() function of the GNU C Library. An attacker could
     use this to cause a denial of service or possibly execute arbitrary
     code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04
     LTS. (CVE-2015-8983)
     
     It was discovered that the fnmatch() function in the GNU C Library
     did not properly handle certain malformed patterns. An attacker could
     use this to cause a denial of service. This issue only affected Ubuntu
     12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984)
     
     Alexander Cherepanov discovered a stack-based buffer overflow in the
     glob implementation of the GNU C Library. An attacker could use this
     to specially craft a directory layout and cause a denial of service.
     (CVE-2016-1234)
     
     Florian Weimer discovered a NULL pointer dereference in the DNS
     resolver of the GNU C Library. An attacker could use this to cause
     a denial of service. (CVE-2015-5180)
     
     Michael Petlan discovered an unbounded stack allocation in the
     getaddrinfo() function of the GNU C Library. An attacker could use
     this to cause a denial of service. (CVE-2016-3706)
     
     Aldy Hernandez discovered an unbounded stack allocation in the sunrpc
     implementation in the GNU C Library. An attacker could use this to
     cause a denial of service. (CVE-2016-4429)
     
     Tim Ruehsen discovered that the getaddrinfo() implementation in the
     GNU C Library did not properly track memory allocations. An attacker
     could use this to cause a denial of service. This issue only affected
     Ubuntu 16.04 LTS. (CVE-2016-5417)
     
     Andreas Schwab discovered that the GNU C Library on ARM 32-bit
     platforms did not properly set up execution contexts. An attacker
     could use this to cause a denial of service. (CVE-2016-6323)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 16.04 LTS:
      libc6                           2.23-0ubuntu7
    
    Ubuntu 14.04 LTS:
      libc6                           2.19-0ubuntu6.11
    
    Ubuntu 12.04 LTS:
      libc6                           2.15-0ubuntu10.17
    
    After a standard system update you need to reboot your computer to make
    all the necessary changes.
    
    References:
      http://www.ubuntu.com/usn/usn-3239-2
      http://www.ubuntu.com/usn/usn-3239-1
      https://bugs.launchpad.net/bugs/1674532
    
    Package Information:
      https://launchpad.net/ubuntu/+source/glibc/2.23-0ubuntu7
      https://launchpad.net/ubuntu/+source/eglibc/2.19-0ubuntu6.11
      https://launchpad.net/ubuntu/+source/eglibc/2.15-0ubuntu10.17
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.