Stay Secure with the Latest Linux Advisories

security advisorybuffer overflowFedora

Fedora 41 glibc Security Advisory: 2025-497995b101 Critical Issues

This update addresses two security vulnerabilities: * CVE-2025-0395: A buffer overflow may occur in the assert function with certain large program names and assert expressions. * CVE-2025-0577: getrandom, arc4random can produce predictable randomness if a multi-threaded program creates additional threads after fork.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-497995b101 2025-01-27 01:38:38.336049+00:00 -------------------------------------------------------------------------------- Name : glibc Product : Fedora 41 Version : 2.40 Release : 21.fc41 URL : http://www.gnu.org/software/glibc/ Summary : The GNU libc libraries Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. -------------------------------------------------------------------------------- Update Information: This update addresses two security vulnerabilities: * CVE-2025-0395: A buffer overflow may occur in the assert function with certain large program names and assert expressions. * CVE-2025-0577: getrandom, arc4random can produce predictable randomness if a multi-threaded program creates additional threads after fork. The following non-security bugs are fixed: * Compatibility with certain programs that call free(environ) is improved (however, deallocating environ remains undefined in general). * On certain non-Fedora kernels, mkstemp and other functions may not attempt to create multiple different file names and fail withEEXISTS. -------------------------------------------------------------------------------- ChangeLog: * Sat Jan 25 2025 Florian Weimer - 2.40-21 - setenv/putenv: Use new upstream free(environ) workaround (#2341908) (glibc-rh2341908.patch replaces glibc-environ-malloc.patch) - Auto-sync with upstream branch release/2.40/master, commit 85668221974db44459527e04d04f77ca8f8e3115: - stdlib: Test using setenv with updated environ [BZ #32588] - malloc: obscure calloc use in tst-calloc - Hide all malloc functions from compiler [BZ #32366] * Thu Jan 23 2025 Florian Weimer - 2.40-20 - CVE-2025-0577: getrandom, arc4random can be predictable after fork (#2338960) * Thu Jan 23 2025 Florian Weimer - 2.40-19 - Apply patch to improve compatibility with environ/malloc misuse * Thu Jan 23 2025 Florian Weimer - 2.40-18 - Auto-sync with upstream branch release/2.40/master, commit 7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c: - Fix underallocation of abort_msg_s struct (CVE-2025-0395) - Fix missing randomness in __gen_tempname (bug 32214) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2338960 - glibc: getrandom, arc4random can return predictable data after fork (CVE-2025-0577) https://bugzilla.redhat.com/show_bug.cgi?id=2338960 [ 2 ] Bug #2341631 - CVE-2025-0395 glibc: buffer overflow in the GNU C Library's assert() [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2341631 [ 3 ] Bug #2341853 - CVE-2025-0577 glibc: vDSO getrandom acceleration may return predictable randomness [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2341853 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-497995b101' at the command line. For more information, refer to the dnf documentation availableat http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue . Fedora releases patches for two key glibc security flaws, focusing on serious issues related to memory management and entropy weaknesses.. glibc security, Fedora updates, buffer overflow fix, predictable randomness threat. . Severity: Critical. LinuxSecurity.com Team

Jan 27, 2025 •Critical Fedora