RHSA-2012:1098

RHSA-2012:1200

[oss-security] 20120711 Re: CVE request: glibc formatted printing vulnerabilities

USN-1589-1

https://bugzilla.redhat.com/show_bug.cgi?id=833703

GLSA-201503-04

https://sourceware.org/bugzilla/show_bug.cgi?id=12445

The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not 'properly restrict the use of' the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405.

The remote host is affected by the vulnerability described in GLSA-201503-04 (GNU C Library: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the GNU C Library.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A local attacker may be able to execute arbitrary code or cause a Denial       of Service condition,.
  Workaround :

    There is no known workaround at this time.

An updated rhev-hypervisor6 package that fixes multiple security issues and various bugs is now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.

Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)

This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers :

CVE-2012-3817 (bind issue)

CVE-2012-3571 and CVE-2012-3954 (dhcp issues)

CVE-2011-1078 and CVE-2012-2383 (kernel issues)

CVE-2012-1013 and CVE-2012-1015 (krb5 issues)

CVE-2012-0441 (nss issue)

CVE-2012-2668 (openldap issue)

CVE-2012-2337 (sudo issue)

Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which fixes these issues.

The remote VMware ESXi 5.1 host is affected by the following security vulnerabilities :

  - An integer overflow condition exists in the glibc     library in the __tzfile_read() function that allows a     denial of service or arbitrary code execution.
    (CVE-2009-5029)

  - An error exists in the glibc library related to modified     loaders and 'LD_TRACE_LOADED_OBJECTS' checks that allow     arbitrary code execution. This issue is disputed by the     creators of glibc. (CVE-2009-5064)

  - An integer signedness error exists in the     elf_get_dynamic_info() function in elf/dynamic-link.h     that allows arbitrary code execution. (CVE-2010-0830)

  - An error exists in the glibc library in the addmntent()     function that allows a corruption of the '/etc/mtab'     file. (CVE-2011-1089)

  - An error exists in the libxslt library in the     xsltGenerateIdFunction() function that allows the     disclosure of sensitive information. (CVE-2011-1202)

  - An off-by-one overflow condition exists in the     xmlXPtrEvalXPtrPart() function due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this, via a specially     crafted XML file, to cause a denial of service condition     or the execution of arbitrary code. (CVE-2011-3102)

  - An out-of-bounds read error exists in the libxslt     library in the xsltCompilePatternInternal() function     that allows a denial of service. (CVE-2011-3970)

  - An error exists in the glibc library in the svc_run()     function that allows a denial of service.
    (CVE-2011-4609)

  - An overflow error exists in the glibc library in the     printf() function related to 'nargs' parsing that allows     arbitrary code execution. (CVE-2012-0864)

  - Multiple integer overflow conditions exist due to     improper validation of user-supplied input when handling     overly long strings. An unauthenticated, remote     attacker can exploit this, via a specially crafted XML     file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2012-2807)

  - Multiple type-confusion errors exist in the     'IS_XSLT_ELEM' macro and the xsltApplyTemplates()     function that allow a denial of service or the     disclosure of sensitive information. (CVE-2012-2825,     CVE-2012-2871)

  - A use-after-free error exists in the libxslt library in     the xsltGenerateIdFunction() function that allows a     denial of service or arbitrary code execution.
    (CVE-2012-2870)

  - Multiple format string error exist in glibc that allow     arbitrary code execution. (CVE-2012-3404, CVE-2012-3405,     CVE-2012-3406)

  - Multiple overflow errors exist in the glibc functions     strtod(), strtof(), strtold(), and strtod_l() that allow     arbitrary code execution. (CVE-2012-3480)

  - A heap-based underflow condition exists in the bundled     libxml2 library due to incorrect parsing of strings not     containing an expected space. A remote attacker can     exploit this, via a specially crafted XML document, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2012-5134)

  - An arbitrary file modification vulnerability due to     improper handling of certain Virtual Machine file     descriptors. A local attacker can exploit this to read     or modify arbitrary files. (CVE-2013-5973)

The remote VMware ESXi 5.0 host is affected by Multiple Vulnerabilities :

  - An integer overflow condition exists in the
    __tzfile_read() function in the glibc library. An     unauthenticated, remote attacker can exploit this, via     a crafted timezone (TZ) file, to cause a denial of     service or the execution of arbitrary code.
    (CVE-2009-5029)

  - ldd in the glibc library is affected by a privilege     escalation vulnerability due to the omission of certain     LD_TRACE_LOADED_OBJECTS checks in a crafted executable     file. Note that this vulnerability is disputed by the     library vendor. (CVE-2009-5064)

  - A remote code execution vulnerability exists in the     glibc library due to an integer signedness error in the     elf_get_dynamic_info() function when the '--verify'     option is used. A remote attacker can exploit this by     using a crafted ELF program with a negative value for a     certain d_tag structure member in the ELF header.
    (CVE-2010-0830)

  - A flaw exists in OpenSSL due to a failure to properly     prevent modification of the ciphersuite in the session     cache when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is     enabled. A remote attacker can exploit this to force a     downgrade to an unintended cipher by intercepting the     network traffic to discover a session identifier.
    (CVE-2010-4180)

  - A flaw exists in OpenSSL due to a failure to properly     validate the public parameters in the J-PAKE protocol     when J-PAKE is enabled. A remote attacker can exploit     this, by sending crafted values in each round of the     protocol, to bypass the need for knowledge of the shared     secret. (CVE-2010-4252)

  - A out-of-bounds memory error exists in OpenSSL that     allows a remote attacker to cause a denial of service or     possibly obtain sensitive information by using a     malformed ClientHello handshake message. This is also     known as the 'OCSP stapling vulnerability'.
    (CVE-2011-0014)

  - A flaw exists in the addmntent() function in the glibc     library due to a failure to report the error status for     failed attempts to write to the /etc/mtab file. A local     attacker can exploit this to corrupt the file by using     writes from a process with a small RLIMIT_FSIZE value.
    (CVE-2011-1089)

  - A flaw exists in the png_set_text_2() function in the     file pngset.c in the libpng library due to a failure to     properly allocate memory. An unauthenticated, remote     attacker can exploit this, via a crafted text chunk in a     PNG image file, to trigger a heap-based buffer overflow,     resulting in denial of service or the execution of     arbitrary code. (CVE-2011-3048)

  - A flaw exists in the DTLS implementation in OpenSSL due     to performing a MAC check only if certain padding is     valid. A remote attacker can exploit this, via a padding     oracle attack, to recover the plaintext. (CVE-2011-4108)

  - A double-free error exists in OpenSSL when the     X509_V_FLAG_POLICY_CHECK is enabled. A remote attacker     can exploit this by triggering a policy check failure,     resulting in an unspecified impact. (CVE-2011-4109)

  - A flaw exists in OpenSSL in the SSL 3.0 implementation     due to improper initialization of data structures used     for block cipher padding. A remote attacker can exploit     this, by decrypting the padding data sent by an SSL     peer, to obtain sensitive information. (CVE-2011-4576)

  - A denial of service vulnerability exists in OpenSSL when     RFC 3779 support is enabled. A remote attacker can     exploit this to cause an assertion failure, by using an     X.509 certificate containing certificate extension data     associated with IP address blocks or Autonomous System     (AS) identifiers. (CVE-2011-4577)

  - A denial of service vulnerability exists in the RPC     implementation in the glibc library due to a flaw in the     svc_run() function. A remote attacker can exploit this,     via large number of RPC connections, to exhaust CPU     resources. (CVE-2011-4609)

  - A denial of service vulnerability exists in the Server     Gated Cryptography (SGC) implementation in OpenSSL due     to a failure to properly handle handshake restarts. A     remote attacker can exploit this, via unspecified     vectors, to exhaust CPU resources. (CVE-2011-4619)

  - A denial of service vulnerability exists in OpenSSL due     to improper support of DTLS applications. A remote     attacker can exploit this, via unspecified vectors     related to an out-of-bounds read error. Note that this     vulnerability exists because of an incorrect fix for     CVE-2011-4108. (CVE-2012-0050)

  - A security bypass vulnerability exists in the glibc     library due to an integer overflow condition in the     vfprintf() function in file stdio-common/vfprintf.c. An     attacker can exploit this, by using a large number of     arguments, to bypass the FORTIFY_SOURCE protection     mechanism, allowing format string attacks or writing to     arbitrary memory. (CVE-2012-0864)

  - A denial of service vulnerability exists in the glibc     library in the vfprintf() function in file     stdio-common/vfprintf.c due to a failure to properly     calculate a buffer length. An attacker can exploit this,     via a format string that uses positional parameters and     many format specifiers, to bypass the FORTIFY_SOURCE     format-string protection mechanism, thus causing stack     corruption and a crash. (CVE-2012-3404)

  - A denial of service vulnerability exists in the glibc     library in the vfprintf() function in file     stdio-common/vfprintf.c due to a failure to properly     calculate a buffer length. An attacker can exploit this,     via a format string with a large number of format     specifiers, to bypass the FORTIFY_SOURCE format-string     protection mechanism, thus triggering desynchronization     within the buffer size handling, resulting in a     segmentation fault and crash. (CVE-2012-3405)

  - A flaw exists in the glibc library in the vfprintf()     function in file stdio-common/vfprintf.c due to a     failure to properly restrict the use of the alloca()     function when allocating the SPECS array. An attacker     can exploit this, via a crafted format string using     positional parameters and a large number of format     specifiers, to bypass the FORTIFY_SOURCE format-string     protection mechanism, thus triggering a denial of     service or the possible execution of arbitrary code.
    (CVE-2012-3406)

  - A flaw exists in the glibc library due to multiple     integer overflow conditions in the strtod(), strtof(),     strtold(), strtod_l(), and other unspecified related     functions. A local attacker can exploit these to trigger     a stack-based buffer overflow, resulting in an     application crash or the possible execution of arbitrary     code. (CVE-2012-3480)

  - A privilege escalation vulnerability exists in the     Virtual Machine Communication Interface (VMCI) due to a     failure by control code to properly restrict memory     allocation. A local attacker can exploit this, via     unspecified vectors, to gain privileges. (CVE-2013-1406)

  - An error exists in the implementation of the Network     File Copy (NFC) protocol. A man-in-the-middle attacker     can exploit this, by modifying the client-server data     stream, to cause a denial of service or the execution     of arbitrary code. (CVE-2013-1659)

Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.

From Red Hat Security Advisory 2012:1098 :

Updated glibc packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function properly.

Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)

This update also fixes the following bug :

* A programming error caused an internal array of nameservers to be only partially initialized when the /etc/resolv.conf file contained IPv6 nameservers. Depending on the contents of a nearby structure, this could cause certain applications to terminate unexpectedly with a segmentation fault. The programming error has been fixed, which restores proper behavior with IPv6 nameservers listed in the /etc/resolv.conf file. (BZ#837026)

All users of glibc are advised to upgrade to these updated packages, which contain backported patches to fix these issues.

This collective update for the GNU C library (glibc) provides the following fixes :

  - Fix strtod integer/buffer overflows. (bnc#775690,     CVE-2012-3480)

  - Fix vfprintf handling of many format specifiers.
    (bnc#770891, CVE-2012-3404 / CVE-2012-3405 /     CVE-2012-3406)

  - Fix pthread_cond_timedwait stack unwinding. (bnc#750741,     bnc#777233)

  - Improve fix for dynamic library unloading. (bnc#783060)

  - Fix resolver when first query fails, but second one     succeeds. (bnc#767266)

a. vCenter Server Appliance directory traversal

   The vCenter Server Appliance (vCSA) contains a directory    traversal vulnerability that allows an authenticated    remote user to retrieve arbitrary files. Exploitation of    this issue may expose sensitive information stored on the    server. 

   VMware would like to thank Alexander Minozhenko from ERPScan for    reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-6324 to this issue.

 b. vCenter Server Appliance arbitrary file download

   The vCenter Server Appliance (vCSA) contains an XML parsing    vulnerability that allows an authenticated remote user to    retrieve arbitrary files.  Exploitation of this issue may    expose sensitive information stored on the server.

   VMware would like to thank Alexander Minozhenko from ERPScan for    reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-6325 to this issue.

 c. Update to ESX glibc package

   The ESX glibc package is updated to version glibc-2.5-81.el5_8.1    to resolve multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-5029, CVE-2009-5064,    CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, CVE-2012-0864    CVE-2012-3404, CVE-2012-3405, CVE-2012-3406 and CVE-2012-3480    to these issues.

 d. vCenter Server and vCSA webservice logging denial of service

   The vCenter Server and vCenter Server Appliance (vCSA) both    contain a vulnerability that allows unauthenticated remote    users to create abnormally large log entries.  Exploitation    of this issue may allow an attacker to fill the system volume    of the vCenter host or appliance VM and create a    denial-of-service condition. 

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2012-6326 to this issue.

USN-1589-1 fixed vulnerabilities in the GNU C Library. One of the updates exposed a regression in the floating point parser. This update fixes the problem.

We apologize for the inconvenience.

It was discovered that positional arguments to the printf() family of functions were not handled properly in the GNU C Library. An attacker could possibly use this to cause a stack-based buffer overflow, creating a denial of service or possibly execute arbitrary code.
(CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)

It was discovered that multiple integer overflows existed in the strtod(), strtof() and strtold() functions in the GNU C Library. An attacker could possibly use this to trigger a stack-based buffer overflow, creating a denial of service or possibly execute arbitrary code. (CVE-2012-3480).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that positional arguments to the printf() family of functions were not handled properly in the GNU C Library. An attacker could possibly use this to cause a stack-based buffer overflow, creating a denial of service or possibly execute arbitrary code.
(CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)

It was discovered that multiple integer overflows existed in the strtod(), strtof() and strtold() functions in the GNU C Library. An attacker could possibly use this to trigger a stack-based buffer overflow, creating a denial of service or possibly execute arbitrary code. (CVE-2012-3480).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function properly.

Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)

This update also fixes the following bug :

  - A programming error caused an internal array of     nameservers to be only partially initialized when the     /etc/resolv.conf file contained IPv6 nameservers.
    Depending on the contents of a nearby structure, this     could cause certain applications to terminate     unexpectedly with a segmentation fault. The programming     error has been fixed, which restores proper behavior     with IPv6 nameservers listed in the /etc/resolv.conf     file.

All users of glibc are advised to upgrade to these updated packages, which contain backported patches to fix these issues.

Updated glibc packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function properly.

Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)

This update also fixes the following bug :

* A programming error caused an internal array of nameservers to be only partially initialized when the /etc/resolv.conf file contained IPv6 nameservers. Depending on the contents of a nearby structure, this could cause certain applications to terminate unexpectedly with a segmentation fault. The programming error has been fixed, which restores proper behavior with IPv6 nameservers listed in the /etc/resolv.conf file. (BZ#837026)

All users of glibc are advised to upgrade to these updated packages, which contain backported patches to fix these issues.

ID	Name	Product	Family	Severity
82577	F5 Networks BIG-IP : GNU C Library (glibc) vulnerability (SOL16364)	Nessus	F5 Networks Local Security Checks	medium
81689	GLSA-201503-04 : GNU C Library: Multiple vulnerabilities (GHOST)	Nessus	Gentoo Local Security Checks	high
78931	RHEL 6 : rhev-hypervisor6 (RHSA-2012:1200)	Nessus	Red Hat Local Security Checks	medium
70886	ESXi 5.1 < Build 1063671 Multiple Vulnerabilities (remote check)	Nessus	Misc.	medium
70885	ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)	Nessus	Misc.	high
69599	Amazon Linux AMI : glibc (ALAS-2012-109)	Nessus	Amazon Linux Local Security Checks	medium
68583	Oracle Linux 6 : glibc (ELSA-2012-1098)	Nessus	Oracle Linux Local Security Checks	medium
64150	SuSE 11.2 Security Update : glibc (SAT Patch Number 7110)	Nessus	SuSE Local Security Checks	medium
63332	VMSA-2012-0018 : VMware security updates for vCSA and ESXi	Nessus	VMware ESX Local Security Checks	high
63285	Ubuntu 8.04 LTS : glibc regression (USN-1589-2)	Nessus	Ubuntu Local Security Checks	medium
62388	Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : eglibc, glibc vulnerabilities (USN-1589-1)	Nessus	Ubuntu Local Security Checks	medium
61369	Scientific Linux Security Update : glibc on SL6.x i386/x86_64 (20120718)	Nessus	Scientific Linux Local Security Checks	medium
60066	CentOS 6 : glibc (CESA-2012:1098)	Nessus	CentOS Local Security Checks	medium
60058	RHEL 6 : glibc (RHSA-2012:1098)	Nessus	Red Hat Local Security Checks	medium

CVE-2012-3404

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins