-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:168 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : glibc Date : March 30, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated glibc packages fix security vulnerabilities: Stephane Chazelas discovered that directory traversal issue in locale handling in glibc. glibc accepts relative paths with .. components in the LC_* and LANG variables. Together with typical OpenSSH configurations (with suitable AcceptEnv settings in sshd_config), this could conceivably be used to bypass ForceCommand restrictions (or restricted shells), assuming the attacker has sufficient level of access to a file system location on the host to create crafted locale definitions there (CVE-2014-0475). David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where posix_spawn_file_actions_addopen fails to copy the path argument (glibc bz #17048) which can, in conjunction with many common memory management techniques from an application, lead to a use after free, or other vulnerabilities (CVE-2014-4043). This update also fixes the following issues: x86: Disable x87 inline functions for SSE2 math (glibc bz #16510) malloc: Fix race in free() of fastbin chunk (glibc bz #15073) Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution. This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose (CVE-2014-5119). Adhemerval Zanella Netto discovered out-of-bounds reads in additional code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) that can be used to crash the systems, causing a denial of service conditions (CVE-2014-6040). The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of "$((... ))" where "..." can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817). The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not properly restrict the use of the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers (CVE-2012-3406). The nss_dns implementation of getnetbyname could run into an infinite loop if the DNS response contained a PTR record of an unexpected format (CVE-2014-9402). Also glibc lock elision (new feature in glibc 2.18) has been disabled as it can break glibc at runtime on newer Intel hardware (due to hardware bug) Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer (CVE-2015-1472). The incorrect use of "__libc_use_alloca (newsize)" caused a different (and weaker) policy to be enforced which could allow a denial of service attack (CVE-2015-1473). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1473 http://advisories.mageia.org/MGASA-2014-0314.html http://advisories.mageia.org/MGASA-2014-0376.html http://advisories.mageia.org/MGASA-2014-0496.html http://advisories.mageia.org/MGASA-2015-0013.html http://advisories.mageia.org/MGASA-2015-0072.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 4813a9b0e1c42bf56140e891d79e2353 mbs2/x86_64/glibc-2.18-10.1.mbs2.x86_64.rpm 00e7c5806f84e66faff537c7dbdd2d75 mbs2/x86_64/glibc-devel-2.18-10.1.mbs2.x86_64.rpm befbdbd1e160b4e9228d9a2857ef470b mbs2/x86_64/glibc-doc-2.18-10.1.mbs2.noarch.rpm aac9ed0c364fd778af009708eccaceab mbs2/x86_64/glibc-i18ndata-2.18-10.1.mbs2.x86_64.rpm b6afecf4b2a18feb469935718e47c0e5 mbs2/x86_64/glibc-profile-2.18-10.1.mbs2.x86_64.rpm b3744f2fb467493e0eac75895f6daf61 mbs2/x86_64/glibc-static-devel-2.18-10.1.mbs2.x86_64.rpm 1145e4c5b240eb61f096f7ec45767f69 mbs2/x86_64/glibc-utils-2.18-10.1.mbs2.x86_64.rpm c09e1bc71aeaa471c72cea6828f054cf mbs2/x86_64/nscd-2.18-10.1.mbs2.x86_64.rpm 3d03bd7c7f066d36f97e5fee3db8c2b3 mbs2/SRPMS/glibc-2.18-10.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVGO6TmqjQ0CJFipgRApv6AKCttgtUwlS7NqmGCqL0ift/1utqmgCfdGsR srQv9Hgp0MxVLn0efzx6+BU= =VrqI -----END PGP SIGNATURE-----