[oss-security] 20150203 Re: CVE request: heap buffer overflow in glibc swscanf

http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html

http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html

20190612 SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series

20190904 SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

72428

USN-2519-1

20190613 SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series

GLSA-201602-02

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06

[libc-alpha] 20150206 The GNU C Library version 2.21 is now available

According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the nss_files backend for the     Name Service Switch in glibc would return incorrect     data to applications or corrupt the heap (depending on     adjacent heap contents). A local attacker could     potentially use this flaw to execute arbitrary code on     the system.(CVE-2015-5277)

  - A directory traveral flaw was found in the way glibc     loaded locale files. An attacker able to make an     application use a specially crafted locale name value     (for example, specified in an LC_* environment     variable) could possibly use this flaw to execute     arbitrary code with the privileges of that     application.(CVE-2014-0475)

  - It was found that out-of-range time values passed to     the strftime() function could result in an     out-of-bounds memory access. This could lead to     application crash or, potentially, information     disclosure.(CVE-2015-8776)

  - The GNU C Library (aka glibc or libc6) before 2.27     contains an off-by-one error leading to a heap-based     buffer overflow in the glob function in glob.c, related     to the processing of home directories using the ~     operator followed by a long string.(CVE-2017-15670)

  - The PTR_MANGLE implementation in the GNU C Library (aka     glibc or libc6) 2.4, 2.17, and earlier, and Embedded     GLIBC (EGLIBC) does not initialize the random value for     the pointer guard, which makes it easier for     context-dependent attackers to control execution flow     by leveraging a buffer-overflow vulnerability in an     application and using the known zero value pointer     guard to calculate a pointer address.(CVE-2013-4788)

  - An out-of-bounds read flaw was found in the way glibc's     iconv() function converted certain encoded data to     UTF-8. An attacker able to make an application call the     iconv() function with a specially crafted argument     could use this flaw to crash that     application.(CVE-2014-6040)

  - A stack overflow vulnerability was found in
    _nss_dns_getnetbyname_r. On systems with nsswitch     configured to include ''networks: dns'' with a     privileged or network-facing service that would attempt     to resolve user-provided network names, an attacker     could provide an excessively long network name,     resulting in stack corruption and code     execution.(CVE-2016-3075)

  - Integer overflow in string/strcoll_l.c in the GNU C     Library (aka glibc or libc6) 2.17 and earlier allows     context-dependent attackers to cause a denial of     service (crash) or possibly execute arbitrary code via     a long string, which triggers a heap-based buffer     overflow.(CVE-2012-4412)

  - A heap-based buffer overflow flaw was found in glibc's     swscanf() function. An attacker able to make an     application call the swscanf() function could use this     flaw to crash that application or, potentially, execute     arbitrary code with the permissions of the user running     the application.(CVE-2015-1472)

  - It was found that getaddrinfo() did not limit the     amount of stack memory used during name resolution. An     attacker able to make an application resolve an     attacker-controlled hostname or IP address could     possibly cause the application to exhaust all stack     memory and crash.(CVE-2013-1914)

  - A stack overflow vulnerability was found in nan*     functions that could cause applications, which process     long strings with the nan function, to crash or,     potentially, execute arbitrary code.(CVE-2014-9761)

  - An out-of-bounds write flaw was found in the way the     glibc's readdir_r() function handled file system     entries longer than the NAME_MAX character constant. A     remote attacker could provide a specially crafted NTFS     or CIFS file system that, when processed by an     application using readdir_r(), would cause that     application to crash or, potentially, allow the     attacker to execute arbitrary code with the privileges     of the user running the application.(CVE-2013-4237)

  - It was discovered that, under certain circumstances,     glibc's getaddrinfo() function would send DNS queries     to random file descriptors. An attacker could     potentially use this flaw to send DNS queries to     unintended recipients, resulting in information     disclosure or data loss due to the application     encountering corrupted data.(CVE-2013-7423)

  - A buffer overflow flaw was found in the way glibc's     gethostbyname_r() and other related functions computed     the size of a buffer when passed a misaligned buffer as     input. An attacker able to make an application call any     of these functions with a misaligned buffer could use     this flaw to crash the application or, potentially,     execute arbitrary code with the permissions of the user     running the application.(CVE-2015-1781)

  - The nss_dns implementation of getnetbyname in GNU C     Library (aka glibc) before 2.21, when the DNS backend     in the Name Service Switch configuration is enabled,     allows remote attackers to cause a denial of service     (infinite loop) by sending a positive answer while a     network name is being process.(CVE-2014-9402)

  - In the GNU C Library (aka glibc or libc6) through 2.29,     proceed_next_node in posix/regexec.c has a heap-based     buffer over-read via an attempted case-insensitive     regular-expression match.(CVE-2019-9169)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201602-02 (GNU C Library: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the GNU C Library:
      The Google Security Team and Red Hat discovered a stack-based buffer         overflow in the send_dg() and send_vc() functions due to a buffer         mismanagement when getaddrinfo() is called with AF_UNSPEC         (CVE-2015-7547).
      The strftime() function access invalid memory when passed         out-of-range data, resulting in a crash (CVE-2015-8776).
      An integer overflow was found in the __hcreate_r() function         (CVE-2015-8778).
      Multiple unbounded stack allocations were found in the catopen()         function (CVE-2015-8779).
    Please review the CVEs referenced below for additional vulnerabilities       that had already been fixed in previous versions of sys-libs/glibc, for       which we have not issued a GLSA before.
  Impact :

    A remote attacker could exploit any application which performs host name       resolution using getaddrinfo() in order to execute arbitrary code or       crash the application. The other vulnerabilities can possibly be       exploited to cause a Denial of Service or leak information.
  Workaround :

    A number of mitigating factors for CVE-2015-7547 have been identified.
      Please review the upstream advisory and references below.

Updated glibc packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7.1 Extended Update Support.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents). A local attacker could potentially use this flaw to execute arbitrary code on the system.
(CVE-2015-5277)

It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
(CVE-2013-7423)

A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application.
(CVE-2015-1781)

A heap-based buffer overflow flaw and a stack overflow flaw were found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use these flaws to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1472, CVE-2015-1473)

The CVE-2015-5277 issue was discovered by Sumit Bose and Lukas Slebodnik of Red Hat, and the CVE-2015-1781 issue was discovered by Arjun Shankar of Red Hat.

All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
(CVE-2013-7423)

A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application.
(CVE-2015-1781)

A heap-based buffer overflow flaw and a stack overflow flaw were found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use these flaws to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1472, CVE-2015-1473)

An integer overflow flaw, leading to a heap-based buffer overflow, was found in glibc's _IO_wstr_overflow() function. An attacker able to make an application call this function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application.

A flaw was found in the way glibc's fnmatch() function processed certain malformed patterns. An attacker able to make an application call this function could use this flaw to crash that application.

A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application.
(CVE-2015-1781)

It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents). A local attacker could potentially use this flaw to execute arbitrary code on the system.
(CVE-2015-5277)

It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
(CVE-2013-7423)

A stack overflow flaw was found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1473)

A heap-based buffer overflow flaw was found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1472)

Updated glibc packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
(CVE-2013-7423)

A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application.
(CVE-2015-1781)

A heap-based buffer overflow flaw and a stack overflow flaw were found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use these flaws to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1472, CVE-2015-1473)

An integer overflow flaw, leading to a heap-based buffer overflow, was found in glibc's _IO_wstr_overflow() function. An attacker able to make an application call this function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (BZ#1195762)

A flaw was found in the way glibc's fnmatch() function processed certain malformed patterns. An attacker able to make an application call this function could use this flaw to crash that application.
(BZ#1197730)

The CVE-2015-1781 issue was discovered by Arjun Shankar of Red Hat.

These updated glibc packages also include numerous bug fixes and one enhancement. Space precludes documenting all of these changes in this advisory. For information on the most significant of these changes, users are directed to the following article on the Red Hat Customer Portal :

https://access.redhat.com/articles/2050743

All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

From Red Hat Security Advisory 2015:2199 :

Updated glibc packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
(CVE-2013-7423)

A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application.
(CVE-2015-1781)

A heap-based buffer overflow flaw and a stack overflow flaw were found in glibc's swscanf() function. An attacker able to make an application call the swscanf() function could use these flaws to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1472, CVE-2015-1473)

An integer overflow flaw, leading to a heap-based buffer overflow, was found in glibc's _IO_wstr_overflow() function. An attacker able to make an application call this function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. (BZ#1195762)

A flaw was found in the way glibc's fnmatch() function processed certain malformed patterns. An attacker able to make an application call this function could use this flaw to crash that application.
(BZ#1197730)

The CVE-2015-1781 issue was discovered by Arjun Shankar of Red Hat.

These updated glibc packages also include numerous bug fixes and one enhancement. Space precludes documenting all of these changes in this advisory. For information on the most significant of these changes, users are directed to the following article on the Red Hat Customer Portal :

https://access.redhat.com/articles/2050743

All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

glibc has been updated to fix four security issues :

  - CVE-2014-0475: Directory traversal in locale environment     handling (bnc#887022)

  - CVE-2014-7817: wordexp failed to honour WRDE_NOCMD     (bsc#906371)

  - CVE-2014-9402: Avoid infinite loop in nss_dns     getnetbyname (bsc#910599)

  - CVE-2015-1472: Fixed buffer overflow in wscanf     (bsc#916222)

  - CVE-2013-7423: getaddrinfo() wrote DNS queries to random     file descriptors under high load. (bnc#915526)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

glibc has been updated to fix four security issues :

  - CVE-2014-0475: Directory traversal in locale environment     handling (bnc#887022)

  - CVE-2014-7817: wordexp failed to honour WRDE_NOCMD     (bsc#906371)

  - CVE-2014-9402: Avoid infinite loop in nss_dns     getnetbyname (bsc#910599)

  - CVE-2015-1472: Fixed buffer overflow in wscanf     (bsc#916222)

This non-security issue has been fixed :

  - Fix missing zero termination (bnc#918233)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

glibc has been updated to fix four security issues.

These security issues were fixed :

  - CVE-2014-7817: The wordexp function in GNU C Library     (aka glibc) 2.21 did not enforce the WRDE_NOCMD flag,     which allowed context-dependent attackers to execute     arbitrary commands, as demonstrated by input containing     '$((`...`))' (bnc#906371).

  - CVE-2015-1472: Heap buffer overflow in glibc swscanf     (bnc#916222).

  - CVE-2014-9402: Denial of service in getnetbyname     function (bnc#910599).

  - CVE-2013-7423: Getaddrinfo() writes DNS queries to     random file descriptors under high load (bnc#915526).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated glibc packages fix security vulnerabilities :

Stephane Chazelas discovered that directory traversal issue in locale handling in glibc. glibc accepts relative paths with .. components in the LC_* and LANG variables. Together with typical OpenSSH configurations (with suitable AcceptEnv settings in sshd_config), this could conceivably be used to bypass ForceCommand restrictions (or restricted shells), assuming the attacker has sufficient level of access to a file system location on the host to create crafted locale definitions there (CVE-2014-0475).

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where posix_spawn_file_actions_addopen fails to copy the path argument (glibc bz #17048) which can, in conjunction with many common memory management techniques from an application, lead to a use after free, or other vulnerabilities (CVE-2014-4043).

This update also fixes the following issues: x86: Disable x87 inline functions for SSE2 math (glibc bz #16510) malloc: Fix race in free() of fastbin chunk (glibc bz #15073)

Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution.

This update removes support of loadable gconv transliteration modules.
Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose (CVE-2014-5119).

Adhemerval Zanella Netto discovered out-of-bounds reads in additional code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) that can be used to crash the systems, causing a denial of service conditions (CVE-2014-6040).

The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of '$((... ))' where '...' can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).

The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not properly restrict the use of the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers (CVE-2012-3406).

The nss_dns implementation of getnetbyname could run into an infinite loop if the DNS response contained a PTR record of an unexpected format (CVE-2014-9402).

Also glibc lock elision (new feature in glibc 2.18) has been disabled as it can break glibc at runtime on newer Intel hardware (due to hardware bug)

Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer (CVE-2015-1472).

The incorrect use of '__libc_use_alloca (newsize)' caused a different (and weaker) policy to be enforced which could allow a denial of service attack (CVE-2015-1473).

Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library.

#553206 CVE-2015-1472 CVE-2015-1473

The scanf family of functions do not properly limit stack allocation, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2012-3405

The printf family of functions do not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service.

CVE-2012-3406

The printf family of functions do not properly limit stack allocation, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string.

CVE-2012-3480

Multiple integer overflows in the strtod, strtof, strtold, strtod_l, and other related functions allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.

CVE-2012-4412

Integer overflow in the strcoll and wcscoll functions allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.

CVE-2012-4424

Stack-based buffer overflow in the strcoll and wcscoll functions allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.

CVE-2013-0242

Buffer overflow in the extend_buffers function in the regular expression matcher allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters.

CVE-2013-1914 CVE-2013-4458

Stack-based buffer overflow in the getaddrinfo function allows remote attackers to cause a denial of service (crash) via a hostname or IP address that triggers a large number of domain conversion results.

CVE-2013-4237

readdir_r allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a malicious NTFS image or CIFS service.

CVE-2013-4332

Multiple integer overflows in malloc/malloc.c allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the pvalloc, valloc, posix_memalign, memalign, or aligned_alloc functions.

CVE-2013-4357

The getaliasbyname, getaliasbyname_r, getaddrinfo, getservbyname, getservbyname_r, getservbyport, getservbyport_r, and glob functions do not properly limit stack allocation, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2013-4788

When the GNU C library is statically linked into an executable, the PTR_MANGLE implementation does not initialize the random value for the pointer guard, so that various hardening mechanisms are not effective.

CVE-2013-7423

The send_dg function in resolv/res_send.c does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.

CVE-2013-7424

The getaddrinfo function may attempt to free an invalid pointer when handling IDNs (Internationalised Domain Names), which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code.

CVE-2014-4043

The posix_spawn_file_actions_addopen function does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.

For the oldstable distribution (squeeze), these problems have been fixed in version 2.11.3-4+deb6u5.

For the stable distribution (wheezy), these problems were fixed in version 2.13-38+deb7u8 or earlier.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

glibc has ben updated to fix three security issues :

  - wordexp failed to honour WRDE_NOCMD (bsc#906371).
    (CVE-2014-7817)

  - Fixed invalid file descriptor reuse while sending DNS     query (bsc#915526). (CVE-2013-7423)

  - Fixed buffer overflow in wscanf (bsc#916222) These     non-security issues have been fixed:. (CVE-2015-1472)

  - Remove inaccurate assembler implementations of ceill,     floorl, nearbyintl, roundl, truncl for PowerPC64     (bsc#917072)

  - Don't return IPv4 addresses when looking for IPv6     addresses only (bsc#904461)

- Fix CVE-2014-7817 glibc: command execution in wordexp()     with WRDE_NOCMD specified

    - Fix CVE-2014-9402 glibc: denial of service in       getnetbyname function

    - CVE-2015-1472 glibc: heap buffer overflow in glibc       swscanf

    - Fix segfault when LD_LIBRARY_PATH is set to       non-existent directory.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Arnaud Le Blanc discovered that the GNU C Library incorrectly handled file descriptors when resolving DNS queries under high load. This may cause a denial of service in other applications, or an information leak. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7423)

It was discovered that the GNU C Library incorrectly handled receiving a positive answer while processing the network name when performing DNS resolution. A remote attacker could use this issue to cause the GNU C Library to hang, resulting in a denial of service.
(CVE-2014-9402)

Joseph Myers discovered that the GNU C Library wscanf function incorrectly handled memory. A remote attacker could possibly use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1472, CVE-2015-1473).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Glibc was updated to fix several security issues.

  - Avoid infinite loop in nss_dns getnetbyname     (CVE-2014-9402, bsc#910599, BZ #17630)

  - wordexp fails to honour WRDE_NOCMD (CVE-2014-7817,     bsc#906371, BZ #17625)

  - Fix invalid file descriptor reuse while sending DNS     query (CVE-2013-7423, bsc#915526, BZ #15946)

  - Fix buffer overflow in wscanf (CVE-2015-1472,     bsc#916222, BZ #16618)

Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library :

  - CVE-2012-3406     The vfprintf function in stdio-common/vfprintf.c in GNU     C Library (aka glibc) 2.5, 2.12, and probably other     versions does not 'properly restrict the use of' the     alloca function when allocating the SPECS array, which     allows context-dependent attackers to bypass the     FORTIFY_SOURCE format-string protection mechanism and     cause a denial of service (crash) or possibly execute     arbitrary code via a crafted format string using     positional parameters and a large number of format     specifiers, a different vulnerability than CVE-2012-3404     and CVE-2012-3405.

  - CVE-2013-7424     An invalid free flaw was found in glibc's getaddrinfo()     function when used with the AI_IDN flag. A remote     attacker able to make an application call this function     could use this flaw to execute arbitrary code with the     permissions of the user running the application. Note     that this flaw only affected applications using glibc     compiled with libidn support.

  - CVE-2014-4043     The posix_spawn_file_actions_addopen function in glibc     before 2.20 does not copy its path argument in     accordance with the POSIX specification, which allows     context-dependent attackers to trigger use-after-free     vulnerabilities.

  - CVE-2014-9402     The getnetbyname function in glibc 2.21 or earlier will     enter an infinite loop if the DNS backend is activated     in the system Name Service Switch configuration, and the     DNS resolver receives a positive answer while processing     the network name.

  - CVE-2015-1472 / CVE-2015-1473     Under certain conditions wscanf can allocate too little     memory for the to-be-scanned arguments and overflow the     allocated buffer. The incorrect use of     '__libc_use_alloca (newsize)' caused a different (and     weaker) policy to be enforced which could allow a denial     of service attack.

ID	Name	Product	Family	Severity
125005	EulerOS Virtualization 3.0.1.0 : glibc (EulerOS-SA-2019-1552)	Nessus	Huawei Local Security Checks	high
88822	GLSA-201602-02 : GNU C Library: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
88573	RHEL 7 : glibc (RHSA-2015:2589)	Nessus	Red Hat Local Security Checks	high
87556	Scientific Linux Security Update : glibc on SL7.x x86_64 (20151119)	Nessus	Scientific Linux Local Security Checks	high
87343	Amazon Linux AMI : glibc (ALAS-2015-617)	Nessus	Amazon Linux Local Security Checks	high
87142	CentOS 7 : glibc (CESA-2015:2199)	Nessus	CentOS Local Security Checks	high
87092	Oracle Linux 7 : glibc (ELSA-2015-2199)	Nessus	Oracle Linux Local Security Checks	high
86937	RHEL 7 : glibc (RHSA-2015:2199)	Nessus	Red Hat Local Security Checks	high
83705	SUSE SLES11 Security Update : glibc (SUSE-SU-2015:0551-1)	Nessus	SuSE Local Security Checks	high
83704	SUSE SLES10 Security Update : glibc (SUSE-SU-2015:0550-1)	Nessus	SuSE Local Security Checks	high
83701	SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2015:0526-1)	Nessus	SuSE Local Security Checks	high
82421	Mandriva Linux Security Advisory : glibc (MDVSA-2015:168)	Nessus	Mandriva Local Security Checks	high
82149	Debian DLA-165-1 : eglibc security update	Nessus	Debian Local Security Checks	high
81667	SuSE 11.3 Security Update : glibc (SAT Patch Number 10357)	Nessus	SuSE Local Security Checks	high
81615	Fedora 21 : glibc-2.20-8.fc21 (2015-2837)	Nessus	Fedora Local Security Checks	high
81572	Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : eglibc, glibc vulnerabilities (USN-2519-1)	Nessus	Ubuntu Local Security Checks	high
81560	openSUSE Security Update : glibc (openSUSE-2015-173)	Nessus	SuSE Local Security Checks	high
81448	Debian DSA-3169-1 : eglibc - security update	Nessus	Debian Local Security Checks	high

CVE-2015-1472

HIGH

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high