SuSE9 Security Update : glibc (YOU Patch Number 12641)

This script is Copyright (C) 2010-2012 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 9 host is missing a security-related patch.

Description :

Several security issues were fixed :

- Integer overflow causing arbitrary code execution in
ld.so --verify mode could be induced by a specially
crafted binary. (CVE-2010-0830)

- The addmntent() function would not escape the newline
character properly, allowing the user to insert
arbitrary newlines to the /etc/mtab; if the addmntent()
is run by a setuid mount binary that does not do extra
input checking, this would allow custom entries to be
inserted in /etc/mtab. (CVE-2010-0296)

- The strfmon() function contains an integer overflow
vulnerability in width specifiers handling that could be
triggered by an attacker that can control the format
string passed to strfmon(). (CVE-2008-1391)

Also one non-security issue was fixed: - nscd in the paranoia mode
would crash on the periodic restart in case one of the databases was
disabled in the nscd configuration.

In addition, the timezone information was updated to the level of
2010l, including the following changes :

- Africa/Cairo (Egypt) and Asia/Gaza (Palestine) do not
use daylight saving during the month of Ramadan in order
to prevent Muslims from fasting one hour longer.
http://www.timeanddate.com/news/time/egypt-ends-dst-2010
.html
http://www.timeanddate.com/news/time/westbank-gaza-end-d
st-2010.html

- Africa/Casablanca (Marocco) has spent the period from
May 2 to Aug 8 using daylight saving. Marocco adopted
regular daylight saving, but the start and end dates
vary every year.
http://www.timeanddate.com/news/time/morocco-starts-dst-
2010.html

- America/Argentina/San_Luis (Argentina region) local
government did not terminate its DST period as planned
and instead decided to extend its use of the UTC-3 time
indefinitely.
http://www.worldtimezone.com/dst_news/dst_news_argentina
08.html

New zones :

- America/Bahia_Banderas (Mexican state of Nayarit) has
declared that it is to follow the UCT-6 time instead of
UCT-7, with the aim to have the same time as the nearby
city of Puerto Vallarta.
http://www.worldtimezone.com/dst_news/dst_news_mexico08.
html

Historical changes :

- Asia/Taipei information on DST usage listed 1980 as one
year using DST, which should read 1979 instead according
to government resources.

- Europe/Helsinki, before switching to Central European
standard DST in 1983, trialled DST for two years.
However, the database omitted to specify that in these
trials of 1981 and 1982, switches have been made one
hour earlier than in 1983.

Spelling changes in Micronesia: - Pacific/Truk has been renamed to
Pacific/Chuuk in 1989. - Pacific/Ponape has been renamed to
Pacific/Pohnpei in 1984.

See also :

http://support.novell.com/security/cve/CVE-2008-1391.html
http://support.novell.com/security/cve/CVE-2010-0296.html
http://support.novell.com/security/cve/CVE-2010-0830.html

Solution :

Apply YOU patch number 12641.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 49758 ()

Bugtraq ID:

CVE ID: CVE-2008-1391
CVE-2010-0296
CVE-2010-0830

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now