-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:111 http://www.mandriva.com/security/ _______________________________________________________________________ Package : glibc Date : June 8, 2010 Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities was discovered and fixed in glibc: Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391 (CVE-2009-4881). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: a6be61ab9c01b49d8367a227a98d5d2f 2008.0/i586/glibc-2.6.1-4.4mdv2008.0.i586.rpm 7ed4b1dd662b69be4204ceb7aa773e46 2008.0/i586/glibc-devel-2.6.1-4.4mdv2008.0.i586.rpm 3e87207fb07fe1881e89ffe8994a7700 2008.0/i586/glibc-doc-2.6.1-4.4mdv2008.0.i586.rpm 702d0e14fd50fd4492293f61645d416a 2008.0/i586/glibc-doc-pdf-2.6.1-4.4mdv2008.0.i586.rpm 483ed0881b3ae32c34b4d2a7f0470a0b 2008.0/i586/glibc-i18ndata-2.6.1-4.4mdv2008.0.i586.rpm cd07230fd5469530f02290dabad9251c 2008.0/i586/glibc-profile-2.6.1-4.4mdv2008.0.i586.rpm 2f4a231ea0ffc50377aa2ac239be828b 2008.0/i586/glibc-static-devel-2.6.1-4.4mdv2008.0.i586.rpm bafc97703cec81e14a7d59a053358a6b 2008.0/i586/glibc-utils-2.6.1-4.4mdv2008.0.i586.rpm 14bfc918f2021ecd4c44914c2088a2fd 2008.0/i586/nscd-2.6.1-4.4mdv2008.0.i586.rpm dd0ab158cfbc93d3d8da2be65b27d10b 2008.0/SRPMS/glibc-2.6.1-4.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 1b9acf433d349ea77f92952067ff99cd 2008.0/x86_64/glibc-2.6.1-4.4mdv2008.0.x86_64.rpm 509a91e2a81781aa709e17fc87b80976 2008.0/x86_64/glibc-devel-2.6.1-4.4mdv2008.0.x86_64.rpm e096abac716f5f3525976d8ea32a1aa0 2008.0/x86_64/glibc-doc-2.6.1-4.4mdv2008.0.x86_64.rpm 3658d77c02ec8fb3a66202b9eec423ff 2008.0/x86_64/glibc-doc-pdf-2.6.1-4.4mdv2008.0.x86_64.rpm e9400b007ec1c381857e81755cf00539 2008.0/x86_64/glibc-i18ndata-2.6.1-4.4mdv2008.0.x86_64.rpm 818a9b7914b502d6dce40443e6b2a514 2008.0/x86_64/glibc-profile-2.6.1-4.4mdv2008.0.x86_64.rpm 20f70cf11c5ceaaa5a23cab5eb67668f 2008.0/x86_64/glibc-static-devel-2.6.1-4.4mdv2008.0.x86_64.rpm abe9a2d6610a0ef12f0adae2cb8adf7f 2008.0/x86_64/glibc-utils-2.6.1-4.4mdv2008.0.x86_64.rpm 4b23dceb84f18a6975a80c43d5bdf26f 2008.0/x86_64/nscd-2.6.1-4.4mdv2008.0.x86_64.rpm dd0ab158cfbc93d3d8da2be65b27d10b 2008.0/SRPMS/glibc-2.6.1-4.4mdv2008.0.src.rpm Mandriva Linux 2009.0: 856644953ae0e7717458ae18629c4f5b 2009.0/i586/glibc-2.8-1.20080520.5.5mnb2.i586.rpm 4e1ddbf980e6e6eb9a4102c18b831d49 2009.0/i586/glibc-devel-2.8-1.20080520.5.5mnb2.i586.rpm ef0bf965eafd838c64d255a9cfe315f9 2009.0/i586/glibc-doc-2.8-1.20080520.5.5mnb2.i586.rpm 8ad0a0865c41e06e133d6f0056ee92b4 2009.0/i586/glibc-doc-pdf-2.8-1.20080520.5.5mnb2.i586.rpm 371929293e82487ba205a0743facad4a 2009.0/i586/glibc-i18ndata-2.8-1.20080520.5.5mnb2.i586.rpm 5848a26cc38ab67d3da83cd942da72fc 2009.0/i586/glibc-profile-2.8-1.20080520.5.5mnb2.i586.rpm bf4d854a749097ce82bd0265ddd25826 2009.0/i586/glibc-static-devel-2.8-1.20080520.5.5mnb2.i586.rpm 47b38b50f8c85c80b2f5e167a1bf8d7d 2009.0/i586/glibc-utils-2.8-1.20080520.5.5mnb2.i586.rpm c9ee2bfeffa362374fa98661f3caf41f 2009.0/i586/nscd-2.8-1.20080520.5.5mnb2.i586.rpm 7d6b93e422647a2728fd0e6af507d869 2009.0/SRPMS/glibc-2.8-1.20080520.5.5mnb2.src.rpm Mandriva Linux 2009.0/X86_64: 24a345f9db10bc7e0da9e68f5ec1a984 2009.0/x86_64/glibc-2.8-1.20080520.5.5mnb2.x86_64.rpm 83a5102696f40d67d9181c4e1d082897 2009.0/x86_64/glibc-devel-2.8-1.20080520.5.5mnb2.x86_64.rpm 0442c7560093fc53823fb5d13cd5d702 2009.0/x86_64/glibc-doc-2.8-1.20080520.5.5mnb2.x86_64.rpm df71ed7e7d339744288aa27dc14798bb 2009.0/x86_64/glibc-doc-pdf-2.8-1.20080520.5.5mnb2.x86_64.rpm 8c72bcd78e84c9a3529105716ae66551 2009.0/x86_64/glibc-i18ndata-2.8-1.20080520.5.5mnb2.x86_64.rpm c550910a8c3fb3b3d521b409773c4089 2009.0/x86_64/glibc-profile-2.8-1.20080520.5.5mnb2.x86_64.rpm f5a56c0d70d67fc7b3f6fa95fea98620 2009.0/x86_64/glibc-static-devel-2.8-1.20080520.5.5mnb2.x86_64.rpm 7f447e6eba9cae2db0bbf704847d18f4 2009.0/x86_64/glibc-utils-2.8-1.20080520.5.5mnb2.x86_64.rpm 3972f478aa6609f469199aa06be41a0d 2009.0/x86_64/nscd-2.8-1.20080520.5.5mnb2.x86_64.rpm 7d6b93e422647a2728fd0e6af507d869 2009.0/SRPMS/glibc-2.8-1.20080520.5.5mnb2.src.rpm Mandriva Linux 2009.1: 75599b6914505b16a4b44861a59f2e4e 2009.1/i586/glibc-2.9-0.20081113.5.1mnb2.i586.rpm 959d7981e383eb86becc9db13cc3fdce 2009.1/i586/glibc-devel-2.9-0.20081113.5.1mnb2.i586.rpm 18c069dfd92017cc17c8a551331a3eaf 2009.1/i586/glibc-doc-2.9-0.20081113.5.1mnb2.i586.rpm bd189c9f42f0ab82c51008270c7ef528 2009.1/i586/glibc-doc-pdf-2.9-0.20081113.5.1mnb2.i586.rpm 0bf20dd082699af1cf8367d50411d7a8 2009.1/i586/glibc-i18ndata-2.9-0.20081113.5.1mnb2.i586.rpm aa902e55d094c1b89b4947d0d66fed7d 2009.1/i586/glibc-profile-2.9-0.20081113.5.1mnb2.i586.rpm d31d3539ca2ea996049003e4b727c4fa 2009.1/i586/glibc-static-devel-2.9-0.20081113.5.1mnb2.i586.rpm c7029e5383461998105dbfe9786d35e2 2009.1/i586/glibc-utils-2.9-0.20081113.5.1mnb2.i586.rpm c1390de4d47c90348a86deb3fb5fe29e 2009.1/i586/nscd-2.9-0.20081113.5.1mnb2.i586.rpm b2bbbaeaccbc231398af8cb5668ecf0f 2009.1/SRPMS/glibc-2.9-0.20081113.5.1mnb2.src.rpm Mandriva Linux 2009.1/X86_64: c08cc51512927bedf87c0c2137e70d93 2009.1/x86_64/glibc-2.9-0.20081113.5.1mnb2.x86_64.rpm 979353ee28b8e88589df6230a35b3171 2009.1/x86_64/glibc-devel-2.9-0.20081113.5.1mnb2.x86_64.rpm 68a522d164ac4a9aca63917b8416b45d 2009.1/x86_64/glibc-doc-2.9-0.20081113.5.1mnb2.x86_64.rpm 249f206c1f605ffe03e2c6389ea0732e 2009.1/x86_64/glibc-doc-pdf-2.9-0.20081113.5.1mnb2.x86_64.rpm 9735ab8987c5b777863f746751a14fcf 2009.1/x86_64/glibc-i18ndata-2.9-0.20081113.5.1mnb2.x86_64.rpm b842de4d1b093814f4b629824882a881 2009.1/x86_64/glibc-profile-2.9-0.20081113.5.1mnb2.x86_64.rpm 9f6956ea5db7d4973f022c0004a359e9 2009.1/x86_64/glibc-static-devel-2.9-0.20081113.5.1mnb2.x86_64.rpm 5ca59e2341d0b68744a0c5ebfb5224be 2009.1/x86_64/glibc-utils-2.9-0.20081113.5.1mnb2.x86_64.rpm 52c0ace264d3fca58917cae6991664bb 2009.1/x86_64/nscd-2.9-0.20081113.5.1mnb2.x86_64.rpm b2bbbaeaccbc231398af8cb5668ecf0f 2009.1/SRPMS/glibc-2.9-0.20081113.5.1mnb2.src.rpm Corporate 4.0: 5fd8807026249afa3f3ca01aba1f8c6a corporate/4.0/i586/glibc-2.3.6-4.2.20060mlcs4.i586.rpm 30844454a9e669373230c118019a1209 corporate/4.0/i586/glibc-devel-2.3.6-4.2.20060mlcs4.i586.rpm 9d7718a14dadc1bc4373a63e7d735df4 corporate/4.0/i586/glibc-doc-2.3.6-4.2.20060mlcs4.i586.rpm e4b6c4f97a44fb47de07ef23182eca87 corporate/4.0/i586/glibc-doc-pdf-2.3.6-4.2.20060mlcs4.i586.rpm aae618bc1340785682246f41dc91b86d corporate/4.0/i586/glibc-i18ndata-2.3.6-4.2.20060mlcs4.i586.rpm af9ae88eddbe60591973e119d00dccf3 corporate/4.0/i586/glibc-profile-2.3.6-4.2.20060mlcs4.i586.rpm f362e05c58bfe050ae0b89df80b0747d corporate/4.0/i586/glibc-static-devel-2.3.6-4.2.20060mlcs4.i586.rpm b8af9c86eae73bb2db4faa8af76dd28d corporate/4.0/i586/glibc-utils-2.3.6-4.2.20060mlcs4.i586.rpm 051de1cbef9b89fbfa189c5dda7a6783 corporate/4.0/i586/ldconfig-2.3.6-4.2.20060mlcs4.i586.rpm 92c884effd58089aded82c88ab1183ac corporate/4.0/i586/nptl-devel-2.3.6-4.2.20060mlcs4.i586.rpm 38435ceabbd01854407f7cf0eaf0ded1 corporate/4.0/i586/nscd-2.3.6-4.2.20060mlcs4.i586.rpm 7f130bf64b8a854eb3cd795d6c27a6ac corporate/4.0/i586/timezone-2.3.6-4.2.20060mlcs4.i586.rpm 2d74557f84d7c715faaaa39510ebdce1 corporate/4.0/SRPMS/glibc-2.3.6-4.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 753ee3add96c6696ca303fb2b6e3d7bb corporate/4.0/x86_64/glibc-2.3.6-4.2.20060mlcs4.x86_64.rpm f780defc6098381fbe0b47361fbd1c9e corporate/4.0/x86_64/glibc-devel-2.3.6-4.2.20060mlcs4.x86_64.rpm 83d77ef5c9486cc3f03a2026e04c5ae1 corporate/4.0/x86_64/glibc-doc-2.3.6-4.2.20060mlcs4.x86_64.rpm c0454d43761010e0876c8f9fd6c8bd9b corporate/4.0/x86_64/glibc-doc-pdf-2.3.6-4.2.20060mlcs4.x86_64.rpm 6ca9dd63443969278c1a7290b2516166 corporate/4.0/x86_64/glibc-i18ndata-2.3.6-4.2.20060mlcs4.x86_64.rpm 21e7b009dd600a4517eb40e821ffb491 corporate/4.0/x86_64/glibc-profile-2.3.6-4.2.20060mlcs4.x86_64.rpm 4ed1c77efc665c569d15d92e3e2ad56e corporate/4.0/x86_64/glibc-static-devel-2.3.6-4.2.20060mlcs4.x86_64.rpm 6c33731b82b85db66dccdf65a84057e0 corporate/4.0/x86_64/glibc-utils-2.3.6-4.2.20060mlcs4.x86_64.rpm 1825439f0db9148dcc6b3c4b7155f4d8 corporate/4.0/x86_64/ldconfig-2.3.6-4.2.20060mlcs4.x86_64.rpm 33fed6b0495dfbbcd835d640a63b84ea corporate/4.0/x86_64/nptl-devel-2.3.6-4.2.20060mlcs4.x86_64.rpm a9ee80992e9d89d8850aa2a41c8bb344 corporate/4.0/x86_64/nscd-2.3.6-4.2.20060mlcs4.x86_64.rpm bfb38484fa2d785e4062b0894b463678 corporate/4.0/x86_64/timezone-2.3.6-4.2.20060mlcs4.x86_64.rpm 2d74557f84d7c715faaaa39510ebdce1 corporate/4.0/SRPMS/glibc-2.3.6-4.2.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 78d3ec91dcb1ee5c3cd9cb99681d614b mes5/i586/glibc-2.8-1.20080520.5.5mnb2.i586.rpm f13cada5b4f0e5b8a53911f9346c0299 mes5/i586/glibc-devel-2.8-1.20080520.5.5mnb2.i586.rpm 85c457d7ad80ea72f1adf93a53c7e76f mes5/i586/glibc-doc-2.8-1.20080520.5.5mnb2.i586.rpm 09eddacd8c1f87e80154c816105b6d1f mes5/i586/glibc-doc-pdf-2.8-1.20080520.5.5mnb2.i586.rpm 33c84c7eb3590098407422745b5d49c1 mes5/i586/glibc-i18ndata-2.8-1.20080520.5.5mnb2.i586.rpm 192a6e6ebca465866c13d8a80bc28ed6 mes5/i586/glibc-profile-2.8-1.20080520.5.5mnb2.i586.rpm 15fc6188ab0637cae61692458a5cc55d mes5/i586/glibc-static-devel-2.8-1.20080520.5.5mnb2.i586.rpm f89f43c819388fa9f6a5802d6c5645ff mes5/i586/glibc-utils-2.8-1.20080520.5.5mnb2.i586.rpm 3ff161e7f4a1b062ae83981583a60cf6 mes5/i586/nscd-2.8-1.20080520.5.5mnb2.i586.rpm b6ca59de2297012e0a6d40c5838f719f mes5/SRPMS/glibc-2.8-1.20080520.5.5mnb2.src.rpm Mandriva Enterprise Server 5/X86_64: b41e4dd6f0ecb9c99933285e3d2c2809 mes5/x86_64/glibc-2.8-1.20080520.5.5mnb2.x86_64.rpm 3a0afb0eb8309641ee1f72a182477770 mes5/x86_64/glibc-devel-2.8-1.20080520.5.5mnb2.x86_64.rpm 625474833757a289450ae3d1bb5d0a14 mes5/x86_64/glibc-doc-2.8-1.20080520.5.5mnb2.x86_64.rpm 20f20e3a124c14bc43696aa4c0a05c8e mes5/x86_64/glibc-doc-pdf-2.8-1.20080520.5.5mnb2.x86_64.rpm dc5c70046207fb4bd9ad332d042f8450 mes5/x86_64/glibc-i18ndata-2.8-1.20080520.5.5mnb2.x86_64.rpm e50c37ab3789c288089671b9e9d280cd mes5/x86_64/glibc-profile-2.8-1.20080520.5.5mnb2.x86_64.rpm 76a4270cfe2aac7bdc7dc1c335c8239d mes5/x86_64/glibc-static-devel-2.8-1.20080520.5.5mnb2.x86_64.rpm 09f32a6c168e9d5e7f36d9b186c97da8 mes5/x86_64/glibc-utils-2.8-1.20080520.5.5mnb2.x86_64.rpm fd97480329960e481a01e6f71b6687ac mes5/x86_64/nscd-2.8-1.20080520.5.5mnb2.x86_64.rpm b6ca59de2297012e0a6d40c5838f719f mes5/SRPMS/glibc-2.8-1.20080520.5.5mnb2.src.rpm Multi Network Firewall 2.0: 5b6db81692ab4e5164e8bcb14cffebab mnf/2.0/i586/glibc-2.3.3-12.10.100mdk.i586.rpm d2065336a373bdbccb6465efd2fa09f2 mnf/2.0/i586/glibc-devel-2.3.3-12.10.100mdk.i586.rpm 1192b92c4cbc757ac0a6154c41784fb8 mnf/2.0/i586/glibc-doc-2.3.3-12.10.100mdk.i586.rpm 2c749f83fa4d6f5f7e8aea549f860905 mnf/2.0/i586/glibc-doc-pdf-2.3.3-12.10.100mdk.i586.rpm 93e6898b74e31a357ea48aef47245e71 mnf/2.0/i586/glibc-i18ndata-2.3.3-12.10.100mdk.i586.rpm dc76ab0235d027ab2eb83625c99741b8 mnf/2.0/i586/glibc-profile-2.3.3-12.10.100mdk.i586.rpm e0e0e5b4885526772cfcb7917d099a46 mnf/2.0/i586/glibc-static-devel-2.3.3-12.10.100mdk.i586.rpm e947ee3c1b36fc33178c9885a5e6c308 mnf/2.0/i586/glibc-utils-2.3.3-12.10.100mdk.i586.rpm ad793eb1c073b608ac08120bff5c582e mnf/2.0/i586/ldconfig-2.3.3-12.10.100mdk.i586.rpm b57efefd913603ca0deac06de32233e9 mnf/2.0/i586/nptl-devel-2.3.3-12.10.100mdk.i586.rpm 9417bd9a3cf42275d8bdc1f4761397ab mnf/2.0/i586/nscd-2.3.3-12.10.100mdk.i586.rpm 85a9ed46d003581214b13051648289b7 mnf/2.0/i586/timezone-2.3.3-12.10.100mdk.i586.rpm 49ed670e6f336d49381ef9fe27c170fe mnf/2.0/SRPMS/glibc-2.3.3-12.10.100mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMDkBMmqjQ0CJFipgRAm+4AJ9isnMfUuEozPQ7pXnllN4ZHWIqOgCeKWgz sMpCsVrWgVEwC3ApL07K6ak= =OT8N -----END PGP SIGNATURE-----