http://hmarco.org/bugs/CVE-2013-4788.html

20150907 Glibc Pointer guarding weakness

MDVSA-2013:283

MDVSA-2013:284

[oss-security] 20130716 Re: CVE-2013-4788 - Eglibc PTR MANGLE bug

61183

GLSA-201503-04

The remote NewStart CGSL host, running version MAIN 5.04, has glibc packages installed that are affected by multiple vulnerabilities:

  - elf/dl-load.c in ld.so in the GNU C Library (aka glibc     or libc6) through 2.11.2, and 2.12.x through 2.12.1,     does not properly handle a value of $ORIGIN for the     LD_AUDIT environment variable, which allows local users     to gain privileges via a crafted dynamic shared object     (DSO) located in an arbitrary directory. (CVE-2010-3847)

  - ld.so in the GNU C Library (aka glibc or libc6) before     2.11.3, and 2.12.x before 2.12.2, does not properly     restrict use of the LD_AUDIT environment variable to     reference dynamic shared objects (DSOs) as audit     objects, which allows local users to gain privileges by     leveraging an unsafe DSO located in a trusted library     directory, as demonstrated by libpcprofile.so.
    (CVE-2010-3856)

  - Integer overflow in string/strcoll_l.c in the GNU C     Library (aka glibc or libc6) 2.17 and earlier allows     context-dependent attackers to cause a denial of service     (crash) or possibly execute arbitrary code via a long     string, which triggers a heap-based buffer overflow.
    (CVE-2012-4412)

  - Stack-based buffer overflow in string/strcoll_l.c in the     GNU C Library (aka glibc or libc6) 2.17 and earlier     allows context-dependent attackers to cause a denial of     service (crash) or possibly execute arbitrary code via a     long string that triggers a malloc failure and use of     the alloca function. (CVE-2012-4424)

  - A flaw was found in the regular expression matching     routines that process multibyte character input. If an     application utilized the glibc regular expression     matching mechanism, an attacker could provide specially-     crafted input that, when processed, would cause the     application to crash. (CVE-2013-0242)

  - It was found that getaddrinfo() did not limit the amount     of stack memory used during name resolution. An attacker     able to make an application resolve an attacker-     controlled hostname or IP address could possibly cause     the application to exhaust all stack memory and crash.
    (CVE-2013-1914, CVE-2013-4458)

  - pt_chown in GNU C Library (aka glibc or libc6) before     2.18 does not properly check permissions for tty files,     which allows local users to change the permission on the     files and obtain access to arbitrary pseudo-terminals by     leveraging a FUSE file system. (CVE-2013-2207)

  - An out-of-bounds write flaw was found in the way the     glibc's readdir_r() function handled file system entries     longer than the NAME_MAX character constant. A remote     attacker could provide a specially crafted NTFS or CIFS     file system that, when processed by an application using     readdir_r(), would cause that application to crash or,     potentially, allow the attacker to execute arbitrary     code with the privileges of the user running the     application. (CVE-2013-4237)

  - Multiple integer overflow flaws, leading to heap-based     buffer overflows, were found in glibc's memory allocator     functions (pvalloc, valloc, and memalign). If an     application used such a function, it could cause the     application to crash or, potentially, execute arbitrary     code with the privileges of the user running the     application. (CVE-2013-4332)

  - The PTR_MANGLE implementation in the GNU C Library (aka     glibc or libc6) 2.4, 2.17, and earlier, and Embedded     GLIBC (EGLIBC) does not initialize the random value for     the pointer guard, which makes it easier for context-     dependent attackers to control execution flow by     leveraging a buffer-overflow vulnerability in an     application and using the known zero value pointer guard     to calculate a pointer address. (CVE-2013-4788)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the nss_files backend for the     Name Service Switch in glibc would return incorrect     data to applications or corrupt the heap (depending on     adjacent heap contents). A local attacker could     potentially use this flaw to execute arbitrary code on     the system.(CVE-2015-5277)

  - A directory traveral flaw was found in the way glibc     loaded locale files. An attacker able to make an     application use a specially crafted locale name value     (for example, specified in an LC_* environment     variable) could possibly use this flaw to execute     arbitrary code with the privileges of that     application.(CVE-2014-0475)

  - It was found that out-of-range time values passed to     the strftime() function could result in an     out-of-bounds memory access. This could lead to     application crash or, potentially, information     disclosure.(CVE-2015-8776)

  - The GNU C Library (aka glibc or libc6) before 2.27     contains an off-by-one error leading to a heap-based     buffer overflow in the glob function in glob.c, related     to the processing of home directories using the ~     operator followed by a long string.(CVE-2017-15670)

  - The PTR_MANGLE implementation in the GNU C Library (aka     glibc or libc6) 2.4, 2.17, and earlier, and Embedded     GLIBC (EGLIBC) does not initialize the random value for     the pointer guard, which makes it easier for     context-dependent attackers to control execution flow     by leveraging a buffer-overflow vulnerability in an     application and using the known zero value pointer     guard to calculate a pointer address.(CVE-2013-4788)

  - An out-of-bounds read flaw was found in the way glibc's     iconv() function converted certain encoded data to     UTF-8. An attacker able to make an application call the     iconv() function with a specially crafted argument     could use this flaw to crash that     application.(CVE-2014-6040)

  - A stack overflow vulnerability was found in
    _nss_dns_getnetbyname_r. On systems with nsswitch     configured to include ''networks: dns'' with a     privileged or network-facing service that would attempt     to resolve user-provided network names, an attacker     could provide an excessively long network name,     resulting in stack corruption and code     execution.(CVE-2016-3075)

  - Integer overflow in string/strcoll_l.c in the GNU C     Library (aka glibc or libc6) 2.17 and earlier allows     context-dependent attackers to cause a denial of     service (crash) or possibly execute arbitrary code via     a long string, which triggers a heap-based buffer     overflow.(CVE-2012-4412)

  - A heap-based buffer overflow flaw was found in glibc's     swscanf() function. An attacker able to make an     application call the swscanf() function could use this     flaw to crash that application or, potentially, execute     arbitrary code with the permissions of the user running     the application.(CVE-2015-1472)

  - It was found that getaddrinfo() did not limit the     amount of stack memory used during name resolution. An     attacker able to make an application resolve an     attacker-controlled hostname or IP address could     possibly cause the application to exhaust all stack     memory and crash.(CVE-2013-1914)

  - A stack overflow vulnerability was found in nan*     functions that could cause applications, which process     long strings with the nan function, to crash or,     potentially, execute arbitrary code.(CVE-2014-9761)

  - An out-of-bounds write flaw was found in the way the     glibc's readdir_r() function handled file system     entries longer than the NAME_MAX character constant. A     remote attacker could provide a specially crafted NTFS     or CIFS file system that, when processed by an     application using readdir_r(), would cause that     application to crash or, potentially, allow the     attacker to execute arbitrary code with the privileges     of the user running the application.(CVE-2013-4237)

  - It was discovered that, under certain circumstances,     glibc's getaddrinfo() function would send DNS queries     to random file descriptors. An attacker could     potentially use this flaw to send DNS queries to     unintended recipients, resulting in information     disclosure or data loss due to the application     encountering corrupted data.(CVE-2013-7423)

  - A buffer overflow flaw was found in the way glibc's     gethostbyname_r() and other related functions computed     the size of a buffer when passed a misaligned buffer as     input. An attacker able to make an application call any     of these functions with a misaligned buffer could use     this flaw to crash the application or, potentially,     execute arbitrary code with the permissions of the user     running the application.(CVE-2015-1781)

  - The nss_dns implementation of getnetbyname in GNU C     Library (aka glibc) before 2.21, when the DNS backend     in the Name Service Switch configuration is enabled,     allows remote attackers to cause a denial of service     (infinite loop) by sending a positive answer while a     network name is being process.(CVE-2014-9402)

  - In the GNU C Library (aka glibc or libc6) through 2.29,     proceed_next_node in posix/regexec.c has a heap-based     buffer over-read via an attempted case-insensitive     regular-expression match.(CVE-2019-9169)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This glibc update fixes a critical privilege escalation vulnerability and the following security and non-security issues :

  - bnc#892073: An off-by-one error leading to a heap-based     buffer overflow was found in __gconv_translit_find(). An     exploit that targets the problem is publicly available.
    (CVE-2014-5119)

  - bnc#886416: Avoid redundant shift character in iconv     output at block boundary.

  - bnc#883022: Initialize errcode in     sysdeps/unix/opendir.c.

  - bnc#882600: Copy filename argument in     posix_spawn_file_actions_addopen. (CVE-2014-4043)

  - bnc#864081: Take lock in pthread_cond_wait cleanup     handler only when needed.

  - bnc#843735: Don't crash on unresolved weak symbol     reference.

  - bnc#839870: Fix integer overflows in malloc.
    (CVE-2013-4332)

  - bnc#836746: Avoid race between {,__de}allocate_stack and
    __reclaim_stacks during fork.

  - bnc#834594: Fix readdir_r with long file names.
    (CVE-2013-4237)

  - bnc#830268: Initialize pointer guard also in static     executables. (CVE-2013-4788)

  - bnc#801246: Fix buffer overrun in regexp matcher.
    (CVE-2013-0242)

  - bnc#779320: Fix buffer overflow in strcoll.
    (CVE-2012-4412)

  - bnc#750741: Use absolute timeout in x86     pthread_cond_timedwait.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library.

#553206 CVE-2015-1472 CVE-2015-1473

The scanf family of functions do not properly limit stack allocation, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2012-3405

The printf family of functions do not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service.

CVE-2012-3406

The printf family of functions do not properly limit stack allocation, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string.

CVE-2012-3480

Multiple integer overflows in the strtod, strtof, strtold, strtod_l, and other related functions allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.

CVE-2012-4412

Integer overflow in the strcoll and wcscoll functions allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.

CVE-2012-4424

Stack-based buffer overflow in the strcoll and wcscoll functions allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.

CVE-2013-0242

Buffer overflow in the extend_buffers function in the regular expression matcher allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.

CVE-2013-1914 CVE-2013-4458

Stack-based buffer overflow in the getaddrinfo function allows remote attackers to cause a denial of service (crash) via a hostname or IP address that triggers a large number of domain conversion results.

CVE-2013-4237

readdir_r allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a malicious NTFS image or CIFS service.

CVE-2013-4332

Multiple integer overflows in malloc/malloc.c allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the pvalloc, valloc, posix_memalign, memalign, or aligned_alloc functions.

CVE-2013-4357

The getaliasbyname, getaliasbyname_r, getaddrinfo, getservbyname, getservbyname_r, getservbyport, getservbyport_r, and glob functions do not properly limit stack allocation, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2013-4788

When the GNU C library is statically linked into an executable, the PTR_MANGLE implementation does not initialize the random value for the pointer guard, so that various hardening mechanisms are not effective.

CVE-2013-7423

The send_dg function in resolv/res_send.c does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.

CVE-2013-7424

The getaddrinfo function may attempt to free an invalid pointer when handling IDNs (Internationalised Domain Names), which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2014-4043

The posix_spawn_file_actions_addopen function does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.

For the oldstable distribution (squeeze), these problems have been fixed in version 2.11.3-4+deb6u5.

For the stable distribution (wheezy), these problems were fixed in version 2.13-38+deb7u8 or earlier.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201503-04 (GNU C Library: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the GNU C Library.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A local attacker may be able to execute arbitrary code or cause a Denial       of Service condition,.
  Workaround :

    There is no known workaround at this time.

New glibc packages are available for Slackware 14.1 and -current to fix security issues.

This update for glibc contains the following fixes :

  - Fix integer overflows in malloc. (CVE-2013-4332,     bnc#839870)

  - Fix buffer overflow in glob. (bnc#691365)

  - Fix buffer overflow in strcoll. (CVE-2012-4412,     bnc#779320)

  - Update mount flags in <sys/mount.h>. (bnc#791928)

  - Fix buffer overrun in regexp matcher. (CVE-2013-0242,     bnc#801246)

  - Fix memory leaks in dlopen. (bnc#811979)

  - Fix stack overflow in getaddrinfo with many results.
    (CVE-2013-1914, bnc#813121)

  - Don't raise UNDERFLOW in tan/tanf for small but normal     argument. (bnc#819347)

  - Properly cross page boundary in SSE4.2 implementation of     strcmp. (bnc#822210)

  - Fix robust mutex handling after fork. (bnc#827811)

  - Fix missing character in IBM-943 charset. (bnc#828235)

  - Fix use of alloca in gaih_inet. (bnc#828637)

  - Initialize pointer guard also in static executables.
    (CVE-2013-4788, bnc#830268)

  - Fix readdir_r with long file names. (CVE-2013-4237,     bnc#834594)

This update for glibc contains the following fixes :

  - Fix integer overflows in malloc. (CVE-2013-4332,     bnc#839870)

  - Fix buffer overflow in glob. (bnc#691365)

  - Fix buffer overflow in strcoll. (CVE-2012-4412,     bnc#779320)

  - Update mount flags in <sys/mount.h>. (bnc#791928)

  - Fix buffer overrun in regexp matcher. (CVE-2013-0242,     bnc#801246)

  - Fix memory leaks in dlopen. (bnc#811979)

  - Fix stack overflow in getaddrinfo with many results.
    (CVE-2013-1914, bnc#813121)

  - Fix check for XEN build in glibc_post_upgrade that     causes missing init re-exec. (bnc#818628)

  - Don't raise UNDERFLOW in tan/tanf for small but normal     argument. (bnc#819347)

  - Properly cross page boundary in SSE4.2 implementation of     strcmp. (bnc#822210)

  - Fix robust mutex handling after fork. (bnc#827811)

  - Fix missing character in IBM-943 charset. (bnc#828235)

  - Fix use of alloca in gaih_inet. (bnc#828637)

  - Initialize pointer guard also in static executables.
    (CVE-2013-4788, bnc#830268)

  - Fix readdir_r with long file names. (CVE-2013-4237,     bnc#834594)

Updated glibc packages fixes the following security issues :

Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow (CVE-2012-4412).

Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function (CVE-2012-4424).

pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system (CVE-2013-2207).
NOTE! This is fixed by removing pt_chown wich may break chroots if their devpts was not mounted correctly (make sure to mount the devpts correctly with gid=5).

sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image (CVE-2013-4237).

Multiple integer overflows in malloc/malloc.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the (1) pvalloc, (2) valloc, (3) posix_memalign, (4) memalign, or (5) aligned_alloc functions (CVE-2013-4332).

A stack (frame) overflow flaw, which led to a denial of service (application crash), was found in the way glibc's getaddrinfo() function processed certain requests when called with AF_INET6. A similar flaw to CVE-2013-1914, this affects AF_INET6 rather than AF_UNSPEC (CVE-2013-4458).

The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context- dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address (CVE-2013-4788).

Other fixes in this update :

  - Correct the processing of '\x80' characters in     crypt_freesec.c

    - fix typo in nscd.service

Existing statically linked applications must be rebuilt to fix CVE-2013-4788.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127161	NewStart CGSL MAIN 5.04 : glibc Multiple Vulnerabilities (NS-SA-2019-0012)	Nessus	NewStart CGSL Local Security Checks	high
125005	EulerOS Virtualization 3.0.1.0 : glibc (EulerOS-SA-2019-1552)	Nessus	Huawei Local Security Checks	high
83637	SUSE SLES11 Security Update : glibc (SUSE-SU-2014:1122-1)	Nessus	SuSE Local Security Checks	high
82149	Debian DLA-165-1 : eglibc security update	Nessus	Debian Local Security Checks	high
81689	GLSA-201503-04 : GNU C Library: Multiple vulnerabilities (GHOST)	Nessus	Gentoo Local Security Checks	high
78656	Slackware 14.1 / current : glibc (SSA:2014-296-01)	Nessus	Slackware Local Security Checks	high
71308	SuSE 11.3 Security Update : glibc (SAT Patch Number 8337)	Nessus	SuSE Local Security Checks	high
71307	SuSE 11.2 Security Update : glibc (SAT Patch Number 8335)	Nessus	SuSE Local Security Checks	high
71092	Mandriva Linux Security Advisory : glibc (MDVSA-2013:283)	Nessus	Mandriva Local Security Checks	high
70180	Fedora 19 : glibc-2.17-18.fc19 (2013-17475)	Nessus	Fedora Local Security Checks	medium
70158	Fedora 20 : glibc-2.18-9.fc20 (2013-17423)	Nessus	Fedora Local Security Checks	medium

CVE-2013-4788

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins