Lucene search
DebianDEBIAN:DLA-165-1:23BFEHistoryMar 06, 2015 - 3:39 p.m.
[SECURITY] [DLA 165-1] eglibc security update
2015-03-0615:39:53
lists.debian.org
22
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.046 Low
EPSS
Percentile
92.5%
Package : eglibc
Version : 2.11.3-4+deb6u5
CVE ID : CVE-2012-3405 CVE-2012-3406 CVE-2012-3480 CVE-2012-4412
CVE-2012-4424 CVE-2013-0242 CVE-2013-1914 CVE-2013-4237
CVE-2013-4332 CVE-2013-4357 CVE-2013-4458 CVE-2013-4788
CVE-2013-7423 CVE-2013-7424 CVE-2014-4043 CVE-2015-1472
CVE-2015-1473
Debian Bug : 553206 681473 681888 684889 687530 689423 699399 704623
717178 719558 722536 751774 765506 765526 765562
Several vulnerabilities have been fixed in eglibc, Debian's version of
the GNU C library.
#553206
CVE-2015-1472
CVE-2015-1473
The scanf family of functions do not properly limit stack
allocation, which allows context-dependent attackers to cause a
denial of service (crash) or possibly execute arbitrary code.
CVE-2012-3405
The printf family of functions do not properly calculate a buffer
length, which allows context-dependent attackers to bypass the
FORTIFY_SOURCE format-string protection mechanism and cause a
denial of service.
CVE-2012-3406
The printf family of functions do not properly limit stack
allocation, which allows context-dependent attackers to bypass the
FORTIFY_SOURCE format-string protection mechanism and cause a
denial of service (crash) or possibly execute arbitrary code via a
crafted format string.
CVE-2012-3480
Multiple integer overflows in the strtod, strtof, strtold,
strtod_l, and other related functions allow local users to cause a
denial of service (application crash) and possibly execute
arbitrary code via a long string, which triggers a stack-based
buffer overflow.
CVE-2012-4412
Integer overflow in the strcoll and wcscoll functions allows
context-dependent attackers to cause a denial of service (crash)
or possibly execute arbitrary code via a long string, which
triggers a heap-based buffer overflow.
CVE-2012-4424
Stack-based buffer overflow in the strcoll and wcscoll functions
allows context-dependent attackers to cause a denial of service
(crash) or possibly execute arbitrary code via a long string that
triggers a malloc failure and use of the alloca function.
CVE-2013-0242
Buffer overflow in the extend_buffers function in the regular
expression matcher allows context-dependent attackers to cause a
denial of service (memory corruption and crash) via crafted
multibyte characters.
CVE-2013-1914
CVE-2013-4458
Stack-based buffer overflow in the getaddrinfo function allows
remote attackers to cause a denial of service (crash) via a
hostname or IP address that triggers a large number of domain
conversion results.
CVE-2013-4237
readdir_r allows context-dependent attackers to cause a denial of
service (out-of-bounds write and crash) or possibly execute
arbitrary code via a malicious NTFS image or CIFS service.
CVE-2013-4332
Multiple integer overflows in malloc/malloc.c allow
context-dependent attackers to cause a denial of service (heap
corruption) via a large value to the pvalloc, valloc,
posix_memalign, memalign, or aligned_alloc functions.
CVE-2013-4357
The getaliasbyname, getaliasbyname_r, getaddrinfo, getservbyname,
getservbyname_r, getservbyport, getservbyport_r, and glob
functions do not properly limit stack allocation, which allows
context-dependent attackers to cause a denial of service (crash)
or possibly execute arbitrary code.
CVE-2013-4788
When the GNU C library is statically linked into an executable,
the PTR_MANGLE implementation does not initialize the random value
for the pointer guard, so that various hardening mechanisms are not
effective.
CVE-2013-7423
The send_dg function in resolv/res_send.c does not properly reuse
file descriptors, which allows remote attackers to send DNS
queries to unintended locations via a large number of requests that
trigger a call to the getaddrinfo function.
CVE-2013-7424
The getaddrinfo function may attempt to free an invalid pointer
when handling IDNs (Internationalised Domain Names), which allows
remote attackers to cause a denial of service (crash) or possibly
execute arbitrary code.
CVE-2014-4043
The posix_spawn_file_actions_addopen function does not copy its
path argument in accordance with the POSIX specification, which
allows context-dependent attackers to trigger use-after-free
vulnerabilities.
For the oldstable distribution (squeeze), these problems have been fixed
in version 2.11.3-4+deb6u5.
For the stable distribution (wheezy), these problems were fixed in
version 2.13-38+deb7u8 or earlier.
–
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams
Attachment:
signature.asc
Description: This is a digitally signed message part
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 7 | amd64 | libc6 | < 2.13-38+deb7u1 | libc6_2.13-38+deb7u1_amd64.deb |
| Debian | 6 | i386 | libc6 | < 2.11.3-4+deb6u5 | libc6_2.11.3-4+deb6u5_i386.deb |
| Debian | 7 | s390x | nscd | < 2.13-38+deb7u1 | nscd_2.13-38+deb7u1_s390x.deb |
| Debian | 7 | mips | libc6-pic | < 2.13-38+deb7u1 | libc6-pic_2.13-38+deb7u1_mips.deb |
| Debian | 7 | mips | libc6-dev-mips64 | < 2.13-38+deb7u1 | libc6-dev-mips64_2.13-38+deb7u1_mips.deb |
| Debian | 7 | mips | libc6-dev-mipsn32 | < 2.13-38+deb7u1 | libc6-dev-mipsn32_2.13-38+deb7u1_mips.deb |
| Debian | 7 | mipsel | libc-dev-bin | < 2.13-38+deb7u1 | libc-dev-bin_2.13-38+deb7u1_mipsel.deb |
| Debian | 6 | amd64 | libnss-files-udeb | < 2.11.3-4+deb6u5 | libnss-files-udeb_2.11.3-4+deb6u5_amd64.deb |
| Debian | 7 | armel | libc6-dbg | < 2.13-38+deb7u1 | libc6-dbg_2.13-38+deb7u1_armel.deb |
| Debian | 7 | amd64 | libc6-dbg | < 2.13-38+deb7u1 | libc6-dbg_2.13-38+deb7u1_amd64.deb |
Related
nessus
nessus
Debian DLA-165-1 : eglibc security update
2015-03-26 00:00:00
Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : eglibc vulnerabilities (USN-1991-1)
2013-10-22 00:00:00
SuSE 11.3 Security Update : glibc (SAT Patch Number 8337)
2013-12-10 00:00:00
osv
osv
eglibc - security update
2015-03-06 00:00:00
eglibc - security update
2015-02-23 00:00:00
eglibc - security update
2015-11-26 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package glibc version 6:2.17-alt6
2014-01-11 00:00:00
Security fix for the ALT Linux 7 package glibc version 6:2.17-alt6
2014-01-11 00:00:00
Security fix for the ALT Linux 6 package glibc version 6:2.11.3-alt8.M60P.3
2015-12-23 00:00:00
securityvulns
securityvulns
[ MDVSA-2013:284 ] glibc
2013-12-01 00:00:00
glibc security vulnerabilities
2013-12-01 00:00:00
GNU glibc multiple security vulnerabilities
2015-03-07 00:00:00
openvas
openvas
Ubuntu Update for eglibc USN-1991-1
2013-10-29 00:00:00
Ubuntu Update for eglibc USN-1991-1
2013-10-29 00:00:00
Gentoo Security Advisory GLSA 201503-04
2015-09-29 00:00:00
ubuntu
ubuntu
GNU C Library vulnerabilities
2013-10-21 00:00:00
GNU C Library vulnerabilities
2014-08-04 00:00:00
GNU C Library regression
2014-09-08 00:00:00
mageia
mageia
Updated glibc package fixes security vulnerabilities
2013-11-22 22:44:49
Updated glibc packages fix security vulnerabilities
2015-05-06 18:16:01
Updated glibc packages fix security vulnerabilities
2015-02-17 21:38:13
gentoo
gentoo
GNU C Library: Multiple vulnerabilities
2015-03-08 00:00:00
suse
suse
Security update for glibc (important)
2014-09-12 06:04:16
Security update for glibc (important)
2014-09-15 19:04:18
Security update for glibc (important)
2014-09-12 02:04:23
fedora
fedora
[SECURITY] Fedora 19 Update: glibc-2.17-18.fc19
2013-09-28 00:07:09
[SECURITY] Fedora 19 Update: glibc-2.17-13.fc19
2013-08-22 00:50:09
[SECURITY] Fedora 19 Update: glibc-2.17-21.fc19
2014-10-19 13:24:18
debian
debian
[SECURITY] [DSA 3169-1] eglibc security update
2015-02-23 06:08:58
[SECURITY] [DLA 350-1] eglibc security update
2015-11-26 17:49:39
slackware
slackware
[slackware-security] glibc
2014-10-24 05:36:04
oraclelinux
oraclelinux
glibc security, bug fix, and enhancement update
2013-11-25 00:00:00
glibc security, bug fix, and enhancement update
2015-11-24 00:00:00
glibc security and bug fix update
2013-04-24 00:00:00
amazon
amazon
redhat
redhat
(RHSA-2013:1605) Moderate: glibc security, bug fix, and enhancement update
2013-11-21 00:00:00
(RHSA-2015:2199) Moderate: glibc security, bug fix, and enhancement update
2015-11-19 14:39:58
(RHSA-2013:0769) Low: glibc security and bug fix update
2013-04-24 00:00:00
centos
centos
glibc, nscd security update
2013-11-26 13:31:38
glibc, nscd security update
2015-11-30 19:30:07
glibc, nscd security update
2014-10-20 18:08:56
prion
prion
Stack overflow
2013-12-12 18:55:00
Format string
2014-02-10 18:15:00
cve
cve
ibm
ibm
debiancve
debiancve
CVE-2013-4458
2013-12-12 18:55:00
CVE-2012-3406
2014-02-10 18:15:00
veracode
veracode
Stack-based Buffer Overflow
2019-05-02 04:44:45
Remote Code Execution (RCE)
2019-01-15 08:54:39
archlinux
archlinux
glibc: multiple issues
2015-02-09 00:00:00
ubuntucve
ubuntucve
f5
f5
SOL16364 - GNU C Library (glibc) vulnerability CVE-2012-3406
2015-04-03 00:00:00
K16364 : GNU C Library (glibc) vulnerability CVE-2012-3406
2015-07-23 00:00:00
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.046 Low
EPSS
Percentile
92.5%
Related for DEBIAN:DLA-165-1:23BFE