http://sourceware.org/bugzilla/show_bug.cgi?id=14547

MDVSA-2013:283

MDVSA-2013:284

[oss-security] 20130913 CVE Request -- glibc: strcoll() integer overflow leading to buffer  overflow + another alloca() stack overflow issue (upstream #14547 &&  #14552)

USN-1991-1

https://bugzilla.redhat.com/show_bug.cgi?id=858238

GLSA-201503-04

The remote NewStart CGSL host, running version MAIN 5.04, has glibc packages installed that are affected by multiple vulnerabilities:

  - elf/dl-load.c in ld.so in the GNU C Library (aka glibc     or libc6) through 2.11.2, and 2.12.x through 2.12.1,     does not properly handle a value of $ORIGIN for the     LD_AUDIT environment variable, which allows local users     to gain privileges via a crafted dynamic shared object     (DSO) located in an arbitrary directory. (CVE-2010-3847)

  - ld.so in the GNU C Library (aka glibc or libc6) before     2.11.3, and 2.12.x before 2.12.2, does not properly     restrict use of the LD_AUDIT environment variable to     reference dynamic shared objects (DSOs) as audit     objects, which allows local users to gain privileges by     leveraging an unsafe DSO located in a trusted library     directory, as demonstrated by libpcprofile.so.
    (CVE-2010-3856)

  - Integer overflow in string/strcoll_l.c in the GNU C     Library (aka glibc or libc6) 2.17 and earlier allows     context-dependent attackers to cause a denial of service     (crash) or possibly execute arbitrary code via a long     string, which triggers a heap-based buffer overflow.
    (CVE-2012-4412)

  - Stack-based buffer overflow in string/strcoll_l.c in the     GNU C Library (aka glibc or libc6) 2.17 and earlier     allows context-dependent attackers to cause a denial of     service (crash) or possibly execute arbitrary code via a     long string that triggers a malloc failure and use of     the alloca function. (CVE-2012-4424)

  - A flaw was found in the regular expression matching     routines that process multibyte character input. If an     application utilized the glibc regular expression     matching mechanism, an attacker could provide specially-     crafted input that, when processed, would cause the     application to crash. (CVE-2013-0242)

  - It was found that getaddrinfo() did not limit the amount     of stack memory used during name resolution. An attacker     able to make an application resolve an attacker-     controlled hostname or IP address could possibly cause     the application to exhaust all stack memory and crash.
    (CVE-2013-1914, CVE-2013-4458)

  - pt_chown in GNU C Library (aka glibc or libc6) before     2.18 does not properly check permissions for tty files,     which allows local users to change the permission on the     files and obtain access to arbitrary pseudo-terminals by     leveraging a FUSE file system. (CVE-2013-2207)

  - An out-of-bounds write flaw was found in the way the     glibc's readdir_r() function handled file system entries     longer than the NAME_MAX character constant. A remote     attacker could provide a specially crafted NTFS or CIFS     file system that, when processed by an application using     readdir_r(), would cause that application to crash or,     potentially, allow the attacker to execute arbitrary     code with the privileges of the user running the     application. (CVE-2013-4237)

  - Multiple integer overflow flaws, leading to heap-based     buffer overflows, were found in glibc's memory allocator     functions (pvalloc, valloc, and memalign). If an     application used such a function, it could cause the     application to crash or, potentially, execute arbitrary     code with the privileges of the user running the     application. (CVE-2013-4332)

  - The PTR_MANGLE implementation in the GNU C Library (aka     glibc or libc6) 2.4, 2.17, and earlier, and Embedded     GLIBC (EGLIBC) does not initialize the random value for     the pointer guard, which makes it easier for context-     dependent attackers to control execution flow by     leveraging a buffer-overflow vulnerability in an     application and using the known zero value pointer guard     to calculate a pointer address. (CVE-2013-4788)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - stdlib/canonicalize.c in the GNU C Library (aka glibc     or libc6) 2.27 and earlier, when processing very long     pathname arguments to the realpath function, could     encounter an integer overflow on 32-bit architectures,     leading to a stack-based buffer overflow and,     potentially, arbitrary code execution.(CVE-2018-11236)

  - An integer overflow vulnerability was found in     hcreate() and hcreate_r() functions which could result     in an out-of-bounds memory access. This could lead to     application crash or, potentially, arbitrary code     execution.(CVE-2015-8778)

  - A stack-based buffer overflow was found in the way the     libresolv library performed dual A/AAAA DNS queries. A     remote attacker could create a specially crafted DNS     response which could cause libresolv to crash or,     potentially, execute code with the permissions of the     user running the library. Note: this issue is only     exposed when libresolv is called from the nss_dns NSS     service module.(CVE-2015-7547)

  - A flaw was found in the regular expression matching     routines that process multibyte character input. If an     application utilized the glibc regular expression     matching mechanism, an attacker could provide     specially-crafted input that, when processed, would     cause the application to crash.(CVE-2013-0242)

  - A flaw was found in the way memory was being allocated     on the stack for user space binaries. If heap (or     different memory region) and stack memory regions were     adjacent to each other, an attacker could use this flaw     to jump over the stack guard gap, cause controlled     memory corruption on process stack or the adjacent     memory region, and thus increase their privileges on     the system. This is glibc-side mitigation which blocks     processing of LD_LIBRARY_PATH for programs running in     secure-execution mode and reduces the number of     allocations performed by the processing of LD_AUDIT,     LD_PRELOAD, and LD_HWCAP_MASK, making successful     exploitation of this issue more     difficult.(CVE-2017-1000366)

  - The DNS stub resolver in the GNU C Library (aka glibc     or libc6) before version 2.26, when EDNS support is     enabled, will solicit large UDP responses from name     servers, potentially simplifying off-path DNS spoofing     attacks due to IP fragmentation.(CVE-2017-12132)

  - It was found that the files back end of Name Service     Switch (NSS) did not isolate iteration over an entire     database from key-based look-up API calls. An     application performing look-ups on a database while     iterating over it could enter an infinite loop, leading     to a denial of service.(CVE-2014-8121)

  - Stack-based buffer overflow in the getaddrinfo function     in sysdeps/posix/getaddrinfo.c in the GNU C Library     (aka glibc or libc6) allows remote attackers to cause a     denial of service (crash) via vectors involving hostent     conversion. NOTE: this vulnerability exists because of     an incomplete fix for CVE-2013-4458.(CVE-2016-3706)

  - In glibc 2.26 and earlier there is confusion in the     usage of getcwd() by realpath() which can be used to     write before the destination buffer leading to a buffer     underflow and potential code     execution.(CVE-2018-1000001)

  - Stack-based buffer overflow in string/strcoll_l.c in     the GNU C Library (aka glibc or libc6) 2.17 and earlier     allows context-dependent attackers to cause a denial of     service (crash) or possibly execute arbitrary code via     a long string that triggers a malloc failure and use of     the alloca function.(CVE-2012-4424)

  - It was found that the dynamic loader did not sanitize     the LD_POINTER_GUARD environment variable. An attacker     could use this flaw to bypass the pointer guarding     protection on set-user-ID or set-group-ID programs to     execute arbitrary code with the permissions of the user     running the application.(CVE-2015-8777)

  - The glob function in glob.c in the GNU C Library (aka     glibc or libc6) before 2.27 contains a buffer overflow     during unescaping of user names with the ~     operator.(CVE-2017-15804)

  - res_query in libresolv in glibc before 2.25 allows     remote attackers to cause a denial of service (NULL     pointer dereference and process crash).(CVE-2015-5180)

  - pt_chown in GNU C Library (aka glibc or libc6) before     2.18 does not properly check permissions for tty files,     which allows local users to change the permission on     the files and obtain access to arbitrary     pseudo-terminals by leveraging a FUSE file     system.(CVE-2013-2207)

  - A stack overflow flaw was found in glibc's swscanf()     function. An attacker able to make an application call     the swscanf() function could use this flaw to crash     that application or, potentially, execute arbitrary     code with the permissions of the user running the     application.(CVE-2015-1473)

  - It was found that getaddrinfo() did not limit the     amount of stack memory used during name resolution. An     attacker able to make an application resolve an     attacker-controlled hostname or IP address could     possibly cause the application to exhaust all stack     memory and crash.(CVE-2013-4458)

  - A heap-based buffer overflow was found in glibc's
    __nss_hostname_digits_dots() function, which is used by     the gethostbyname() and gethostbyname2() glibc function     calls. A remote attacker able to make an application     call either of these functions could use this flaw to     execute arbitrary code with the permissions of the user     running the application.(CVE-2015-0235)

  - Multiple integer overflow flaws, leading to heap-based     buffer overflows, were found in glibc's memory     allocator functions (pvalloc, valloc, and memalign). If     an application used such a function, it could cause the     application to crash or, potentially, execute arbitrary     code with the privileges of the user running the     application.(CVE-2013-4332)

  - An integer overflow in the implementation of the     posix_memalign in memalign functions in the GNU C     Library (aka glibc or libc6) 2.26 and earlier could     cause these functions to return a pointer to a heap     area that is too small, potentially leading to heap     corruption.(CVE-2018-6485)

  - A stack based buffer overflow vulnerability was found     in the catopen() function. An excessively long string     passed to the function could cause it to crash or,     potentially, execute arbitrary code.(CVE-2015-8779)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library.

#553206 CVE-2015-1472 CVE-2015-1473

The scanf family of functions do not properly limit stack allocation, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2012-3405

The printf family of functions do not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service.

CVE-2012-3406

The printf family of functions do not properly limit stack allocation, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string.

CVE-2012-3480

Multiple integer overflows in the strtod, strtof, strtold, strtod_l, and other related functions allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.

CVE-2012-4412

Integer overflow in the strcoll and wcscoll functions allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.

CVE-2012-4424

Stack-based buffer overflow in the strcoll and wcscoll functions allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.

CVE-2013-0242

Buffer overflow in the extend_buffers function in the regular expression matcher allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.

CVE-2013-1914 CVE-2013-4458

Stack-based buffer overflow in the getaddrinfo function allows remote attackers to cause a denial of service (crash) via a hostname or IP address that triggers a large number of domain conversion results.

CVE-2013-4237

readdir_r allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a malicious NTFS image or CIFS service.

CVE-2013-4332

Multiple integer overflows in malloc/malloc.c allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the pvalloc, valloc, posix_memalign, memalign, or aligned_alloc functions.

CVE-2013-4357

The getaliasbyname, getaliasbyname_r, getaddrinfo, getservbyname, getservbyname_r, getservbyport, getservbyport_r, and glob functions do not properly limit stack allocation, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2013-4788

When the GNU C library is statically linked into an executable, the PTR_MANGLE implementation does not initialize the random value for the pointer guard, so that various hardening mechanisms are not effective.

CVE-2013-7423

The send_dg function in resolv/res_send.c does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.

CVE-2013-7424

The getaddrinfo function may attempt to free an invalid pointer when handling IDNs (Internationalised Domain Names), which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2014-4043

The posix_spawn_file_actions_addopen function does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.

For the oldstable distribution (squeeze), these problems have been fixed in version 2.11.3-4+deb6u5.

For the stable distribution (wheezy), these problems were fixed in version 2.13-38+deb7u8 or earlier.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201503-04 (GNU C Library: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the GNU C Library.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A local attacker may be able to execute arbitrary code or cause a Denial       of Service condition,.
  Workaround :

    There is no known workaround at this time.

New glibc packages are available for Slackware 14.1 and -current to fix security issues.

Updated glibc packages fixes the following security issues :

Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow (CVE-2012-4412).

Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function (CVE-2012-4424).

pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system (CVE-2013-2207).
NOTE! This is fixed by removing pt_chown wich may break chroots if their devpts was not mounted correctly (make sure to mount the devpts correctly with gid=5).

sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image (CVE-2013-4237).

Multiple integer overflows in malloc/malloc.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the (1) pvalloc, (2) valloc, (3) posix_memalign, (4) memalign, or (5) aligned_alloc functions (CVE-2013-4332).

A stack (frame) overflow flaw, which led to a denial of service (application crash), was found in the way glibc's getaddrinfo() function processed certain requests when called with AF_INET6. A similar flaw to CVE-2013-1914, this affects AF_INET6 rather than AF_UNSPEC (CVE-2013-4458).

The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context- dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address (CVE-2013-4788).

Other fixes in this update :

  - Correct the processing of '\x80' characters in     crypt_freesec.c

    - fix typo in nscd.service

It was discovered that the GNU C Library incorrectly handled the strcoll() function. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2012-4412, CVE-2012-4424)

It was discovered that the GNU C Library incorrectly handled multibyte characters in the regular expression matcher. An attacker could use this issue to cause a denial of service. (CVE-2013-0242)

It was discovered that the GNU C Library incorrectly handled large numbers of domain conversion results in the getaddrinfo() function. An attacker could use this issue to cause a denial of service.
(CVE-2013-1914)

It was discovered that the GNU C Library readdir_r() function incorrectly handled crafted NTFS or CIFS images. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2013-4237)

It was discovered that the GNU C Library incorrectly handled memory allocation. An attacker could use this issue to cause a denial of service. (CVE-2013-4332).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

systemd is now required during build so that installing or updating nscd does not result in any warnings. rtkaio bits are now tested correctly.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127161	NewStart CGSL MAIN 5.04 : glibc Multiple Vulnerabilities (NS-SA-2019-0012)	Nessus	NewStart CGSL Local Security Checks	high
125004	EulerOS Virtualization 3.0.1.0 : glibc (EulerOS-SA-2019-1551)	Nessus	Huawei Local Security Checks	high
82149	Debian DLA-165-1 : eglibc security update	Nessus	Debian Local Security Checks	high
81689	GLSA-201503-04 : GNU C Library: Multiple vulnerabilities (GHOST)	Nessus	Gentoo Local Security Checks	high
78656	Slackware 14.1 / current : glibc (SSA:2014-296-01)	Nessus	Slackware Local Security Checks	high
71092	Mandriva Linux Security Advisory : glibc (MDVSA-2013:283)	Nessus	Mandriva Local Security Checks	high
70538	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : eglibc vulnerabilities (USN-1991-1)	Nessus	Ubuntu Local Security Checks	high
69488	Fedora 19 : glibc-2.17-14.fc19 (2013-15316)	Nessus	Fedora Local Security Checks	high

CVE-2012-4424

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high