FEDORA-2016-68abc0be35

openSUSE-SU-2016:1527

openSUSE-SU-2016:1779

[oss-security] 20160307 CVE-2016-1234 in glibc glob with GLOB_ALTDIRFUNC

84204

GLSA-201702-11

https://sourceware.org/bugzilla/show_bug.cgi?id=19779

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea

According to the version of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - Stack-based buffer overflow in the glob implementation     in GNU C Library (aka glibc) before 2.24, when     GLOB_ALTDIRFUNC is used, allows context-dependent     attackers to cause a denial of service (crash) via a     long name.(CVE-2016-1234)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the GNU C Library (aka glibc or libc6) through 2.28,     the getaddrinfo function would successfully parse a     string that contained an IPv4 address followed by     whitespace and arbitrary characters, which could lead     applications to incorrectly assume that it had parsed a     valid string, without the possibility of embedded HTTP     headers or other potentially dangerous     substrings.(CVE-2016-10739)

  - Stack-based buffer overflow in the glob implementation     in GNU C Library (aka glibc) before 2.24, when     GLOB_ALTDIRFUNC is used, allows context-dependent     attackers to cause a denial of service (crash) via a     long name.(CVE-2016-1234)

  - Use-after-free vulnerability in the clntudp_call     function in sunrpc/clnt_udp.c in the GNU C Library (aka     glibc or libc6) before 2.26 allows remote attackers to     have unspecified impact via vectors related to error     path.(CVE-2017-12133)

  - In the GNU C Library (aka glibc or libc6) through 2.29,     check_dst_limits_calc_pos_1 in posix/regexec.c has     Uncontrolled Recursion, as demonstrated by     '(\227|)(\\1\\1|t1|\\\2537)+' in grep.(CVE-2018-20796)

  - ** DISPUTED ** In the GNU C Library (aka glibc or     libc6) through 2.29, check_dst_limits_calc_pos_1 in     posix/regexec.c has Uncontrolled Recursion, as     demonstrated by '(|)(\\1\\1)*' in grep, a different     issue than CVE-2018-20796. NOTE: the software     maintainer disputes that this is a vulnerability     because the behavior occurs only with a crafted     pattern.(CVE-2019-9192)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In the GNU C Library (aka glibc or libc6) through 2.28,     the getaddrinfo function would successfully parse a     string that contained an IPv4 address followed by     whitespace and arbitrary characters, which could lead     applications to incorrectly assume that it had parsed a     valid string, without the possibility of embedded HTTP     headers or other potentially dangerous     substrings.(CVE-2016-10739)

  - Use-after-free vulnerability in the clntudp_call     function in sunrpc/clnt_udp.c in the GNU C Library (aka     glibc or libc6) before 2.26 allows remote attackers to     have unspecified impact via vectors related to error     path.(CVE-2017-12133)

  - Stack-based buffer overflow in the glob implementation     in GNU C Library (aka glibc) before 2.24, when     GLOB_ALTDIRFUNC is used, allows context-dependent     attackers to cause a denial of service (crash) via a     long name.(CVE-2016-1234)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Stack-based buffer overflow in the glob implementation     in GNU C Library (aka glibc) before 2.24, when     GLOB_ALTDIRFUNC is used, allows context-dependent     attackers to cause a denial of service (crash) via a     long name.(CVE-2016-1234)

  - The DNS stub resolver in the GNU C Library (aka glibc     or libc6) before version 2.26, when EDNS support is     enabled, will solicit large UDP responses from name     servers, potentially simplifying off-path DNS spoofing     attacks due to IP fragmentation.(CVE-2017-12132)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the glibc package has been released.

An update of [cracklib,libevent,libgcrypt,httpd,glibc] packages for PhotonOS has been released.

USN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately, the fix for CVE-2016-3706 introduced a regression that in some circumstances prevented IPv6 addresses from resolving. This update reverts the change in Ubuntu 12.04 LTS. We apologize for the error.

It was discovered that the GNU C Library incorrectly handled the strxfrm() function. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)

It was discovered that an integer overflow existed in the
_IO_wstr_overflow() function of the GNU C Library. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8983)

It was discovered that the fnmatch() function in the GNU C Library did not properly handle certain malformed patterns.
An attacker could use this to cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984)

Alexander Cherepanov discovered a stack-based buffer overflow in the glob implementation of the GNU C Library. An attacker could use this to specially craft a directory layout and cause a denial of service. (CVE-2016-1234)

Michael Petlan discovered an unbounded stack allocation in the getaddrinfo() function of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-3706)

Aldy Hernandez discovered an unbounded stack allocation in the sunrpc implementation in the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-4429)

Tim Ruehsen discovered that the getaddrinfo() implementation in the GNU C Library did not properly track memory allocations. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-5417)

Andreas Schwab discovered that the GNU C Library on ARM 32-bit platforms did not properly set up execution contexts.
An attacker could use this to cause a denial of service.
(CVE-2016-6323).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately, the fix for CVE-2015-5180 introduced an internal ABI change within the resolver library. This update reverts the change. We apologize for the inconvenience.

Please note that long-running services that were restarted to compensate for the USN-3239-1 update may need to be restarted again.

It was discovered that the GNU C Library incorrectly handled the strxfrm() function. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)

It was discovered that an integer overflow existed in the
_IO_wstr_overflow() function of the GNU C Library. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8983)

It was discovered that the fnmatch() function in the GNU C Library did not properly handle certain malformed patterns.
An attacker could use this to cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984)

Alexander Cherepanov discovered a stack-based buffer overflow in the glob implementation of the GNU C Library. An attacker could use this to specially craft a directory layout and cause a denial of service. (CVE-2016-1234)

Florian Weimer discovered a NULL pointer dereference in the DNS resolver of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2015-5180)

Michael Petlan discovered an unbounded stack allocation in the getaddrinfo() function of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-3706)

Aldy Hernandez discovered an unbounded stack allocation in the sunrpc implementation in the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-4429)

Tim Ruehsen discovered that the getaddrinfo() implementation in the GNU C Library did not properly track memory allocations. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-5417)

Andreas Schwab discovered that the GNU C Library on ARM 32-bit platforms did not properly set up execution contexts.
An attacker could use this to cause a denial of service.
(CVE-2016-6323).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the GNU C Library incorrectly handled the strxfrm() function. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)

It was discovered that an integer overflow existed in the
_IO_wstr_overflow() function of the GNU C Library. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2015-8983)

It was discovered that the fnmatch() function in the GNU C Library did not properly handle certain malformed patterns. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984)

Alexander Cherepanov discovered a stack-based buffer overflow in the glob implementation of the GNU C Library. An attacker could use this to specially craft a directory layout and cause a denial of service.
(CVE-2016-1234)

Florian Weimer discovered a NULL pointer dereference in the DNS resolver of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2015-5180)

Michael Petlan discovered an unbounded stack allocation in the getaddrinfo() function of the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-3706)

Aldy Hernandez discovered an unbounded stack allocation in the sunrpc implementation in the GNU C Library. An attacker could use this to cause a denial of service. (CVE-2016-4429)

Tim Ruehsen discovered that the getaddrinfo() implementation in the GNU C Library did not properly track memory allocations. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-5417)

Andreas Schwab discovered that the GNU C Library on ARM 32-bit platforms did not properly set up execution contexts. An attacker could use this to cause a denial of service. (CVE-2016-6323).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201702-11 (GNU C Library: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the GNU C Library.
      Please review the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could possibly execute arbitrary code with       the privileges of the process, disclose sensitive information, or cause a       Denial of Service condition via multiple vectors.
  Workaround :

    There is no known workaround at this time.

This update for glibc fixes the following issues :

  - Drop old fix that could break services that start before     IPv6 is up. (bsc#931399)

  - Do not copy d_name field of struct dirent.
    (CVE-2016-1234, bsc#969727)

  - Fix memory leak in _nss_dns_gethostbyname4_r.
    (bsc#973010)

  - Relocate DSOs in dependency order, fixing a potential     crash during symbol relocation phase. (bsc#986302)

  - Fix nscd assertion failure in gc. (bsc#965699)

  - Fix stack overflow in _nss_dns_getnetbyname_r.
    (CVE-2016-3075, bsc#973164)

  - Fix getaddrinfo stack overflow in hostent conversion.
    (CVE-2016-3706, bsc#980483)

  - Do not use alloca in clntudp_call. (CVE-2016-4429,     bsc#980854)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for glibc provides the following fixes :

  - Increase DTV_SURPLUS limit. (bsc#968787)

  - Do not copy d_name field of struct dirent.
    (CVE-2016-1234, bsc#969727)

  - Fix memory leak in _nss_dns_gethostbyname4_r.
    (bsc#973010)

  - Fix stack overflow in _nss_dns_getnetbyname_r.
    (CVE-2016-3075, bsc#973164)

  - Fix malloc performance regression from SLE 11.
    (bsc#975930)

  - Fix getaddrinfo stack overflow in hostent conversion.
    (CVE-2016-3706, bsc#980483)

  - Do not use alloca in clntudp_call. (CVE-2016-4429,     bsc#980854)

  - Remove mtrace.1, now included in the man-pages package.
    (bsc#967190)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for glibc provides the following fixes :

  - Increase DTV_SURPLUS limit. (bsc#968787)

  - Do not copy d_name field of struct dirent.
    (CVE-2016-1234, bsc#969727)

  - Fix memory leak in _nss_dns_gethostbyname4_r.
    (bsc#973010)

  - Fix stack overflow in _nss_dns_getnetbyname_r.
    (CVE-2016-3075, bsc#973164)

  - Fix malloc performance regression from SLE 11.
    (bsc#975930)

  - Fix getaddrinfo stack overflow in hostent conversion.
    (CVE-2016-3706, bsc#980483)

  - Do not use alloca in clntudp_call (CVE-2016-4429,     bsc#980854)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update contains minor security fixes (for CVE-2016-3075, CVE-2016-3706, and CVE-2016-1234) and collects fixes for bugs encountered by Fedora users.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for glibc provides the following fixes :

  - Increase DTV_SURPLUS limit. (bsc#968787)

  - Do not copy d_name field of struct dirent.
    (CVE-2016-1234, bsc#969727)

  - Fix memory leak in _nss_dns_gethostbyname4_r.
    (bsc#973010)

  - Fix stack overflow in _nss_dns_getnetbyname_r.
    (CVE-2016-3075, bsc#973164)

  - Fix malloc performance regression from SLE 11.
    (bsc#975930)

  - Fix getaddrinfo stack overflow in hostent conversion.
    (CVE-2016-3706, bsc#980483)

  - Do not use alloca in clntudp_call. (CVE-2016-4429,     bsc#980854)

  - Remove mtrace.1, now included in the man-pages package.
    (bsc#967190)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

This update for glibc fixes the following issues :

  - glob-altdirfunc.patch: Do not copy d_name field of     struct dirent (CVE-2016-1234, boo#969727, BZ #19779)

  - nss-dns-memleak-2.patch: fix memory leak in
    _nss_dns_gethostbyname4_r (boo#973010)

  - nss-dns-getnetbyname.patch: fix stack overflow in
    _nss_dns_getnetbyname_r (CVE-2016-3075, boo#973164, BZ     #19879)

  - getaddrinfo-hostent-conv-stack-overflow.patch:
    getaddrinfo stack overflow in hostent conversion     (CVE-2016-3706, boo#980483, BZ #20010)

  - clntudp-call-alloca.patch: do not use alloca in     clntudp_call (CVE-2016-4429, boo#980854, BZ #20112)

Several vulnerabilities have been fixed in the Debian GNU C Library, eglibc :

CVE-2016-1234

Alexander Cherepanov discovered that the glibc's glob implementation suffered from a stack-based buffer overflow when it was called with the GLOB_ALTDIRFUNC flag and encountered a long file name.

CVE-2016-3075

The getnetbyname implementation in nss_dns was susceptible to a stack overflow and a crash if it was invoked on a very long name.

CVE-2016-3706

Michael Petlan reported that getaddrinfo copied large amounts of address data to the stack, possibly leading to a stack overflow. This complements the fix for CVE-2013-4458.

For Debian 7 'Wheezy', these problems have been fixed in version 2.13-38+deb7u11.

We recommend you to upgrade your eglibc packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update contains minor security fixes (for CVE-2016-3075, CVE-2016-1234, CVE-2015-8778, CVE-2015-8776, CVE-2014-9761, CVE-2015-8779) and collects fixes for bugs encountered by Fedora users.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
145145	EulerOS 2.0 SP3 : glibc (EulerOS-SA-2021-1069)	Nessus	Huawei Local Security Checks	medium
135640	EulerOS Virtualization 3.0.2.2 : glibc (EulerOS-SA-2020-1478)	Nessus	Huawei Local Security Checks	medium
130864	EulerOS 2.0 SP5 : glibc (EulerOS-SA-2019-2155)	Nessus	Huawei Local Security Checks	medium
128896	EulerOS 2.0 SP2 : glibc (EulerOS-SA-2019-1844)	Nessus	Huawei Local Security Checks	medium
121682	Photon OS 1.0: Glibc PHSA-2017-0013	Nessus	PhotonOS Local Security Checks	medium
111862	Photon OS 1.0: Cracklib / Glibc / Httpd / Libevent / Libgcrypt PHSA-2017-0013 (deprecated)	Nessus	PhotonOS Local Security Checks	high
97936	Ubuntu 12.04 LTS : eglibc regression (USN-3239-3)	Nessus	Ubuntu Local Security Checks	medium
97887	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : eglibc, glibc regression (USN-3239-2)	Nessus	Ubuntu Local Security Checks	medium
97856	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : eglibc, glibc vulnerabilities (USN-3239-1)	Nessus	Ubuntu Local Security Checks	medium
97254	GLSA-201702-11 : GNU C Library: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
93309	SUSE SLES11 Security Update : glibc (SUSE-SU-2016:2156-1)	Nessus	SuSE Local Security Checks	medium
93175	SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2016:1733-1)	Nessus	SuSE Local Security Checks	medium
93173	SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2016:1721-1)	Nessus	SuSE Local Security Checks	medium
92146	Fedora 24 : glibc (2016-b321728d74)	Nessus	Fedora Local Security Checks	medium
91987	openSUSE Security Update : glibc (openSUSE-2016-852)	Nessus	SuSE Local Security Checks	high
91534	openSUSE Security Update : glibc (openSUSE-2016-699)	Nessus	SuSE Local Security Checks	high
91361	Debian DLA-494-1 : eglibc security update	Nessus	Debian Local Security Checks	medium
91063	Fedora 23 : glibc-2.22-15.fc23 (2016-68abc0be35)	Nessus	Fedora Local Security Checks	high

CVE-2016-1234

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

medium

medium

medium

medium

medium

high

medium

medium

medium

high

medium

medium

medium

medium

high

high

medium

high