SuSE 10 Security Update : glibc (ZYPP Patch Number 7201)

This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 10 host is missing a security-related patch.

Description :

Several security issues were fixed :

- Decoding of the $ORIGIN special value in various LD_
environment variables allowed local attackers to execute
code in context of e.g. setuid root programs, elevating
privileges. This issue does not affect SUSE as an
assertion triggers before the respective code is
executed. The bug was fixed nevertheless.
(CVE-2010-3847)

- The LD_AUDIT environment was not pruned during setuid
root execution and could load shared libraries from
standard system library paths. This could be used by
local attackers to inject code into setuid root programs
and so elevated privileges. (CVE-2010-3856)

- Integer overflow causing arbitrary code execution in
ld.so --verify mode could be induced by a specially
crafted binary. (CVE-2010-0830)

- The addmntent() function would not escape the newline
character properly, allowing the user to insert
arbitrary newlines to the /etc/mtab; if the addmntent()
is run by a setuid mount binary that does not do extra
input checking, this would allow custom entries to be
inserted in /etc/mtab. (CVE-2010-0296)

- The strfmon() function contains an integer overflow
vulnerability in width specifiers handling that could be
triggered by an attacker that can control the format
string passed to strfmon(). (CVE-2008-1391)

- Some setups (mainly Solaris-based legacy setups) include
shadow information (password hashes) as so-called
'adjunct passwd' table, mangling it with the rest of
passwd columns instead of keeping it in the shadow
table. Normally, Solaris will disclose this information
only to clients bound to a priviledged port, but when
nscd is deployed on the client, getpwnam() would
disclose the password hashes to all users. New mode
'adjunct as shadow' can now be enabled in
/etc/default/nss that will move the password hashes from
the world-readable passwd table to emulated shadow table
(that is not cached by nscd). (CVE-2010-0015)

Some invalid behavior, crashes and memory leaks were fixed :

- nscd in the paranoia mode would crash on the periodic
restart in case one of the databases was disabled in the
nscd configuration.

- When closing a widechar stdio stream, memory would
sometimes be leaked.

- memcpy() on power6 would errorneously use a 64-bit
instruction within 32-bit code in certain corner cases.

- jrand48() returns numbers in the wrong range on 64-bit
systems: Instead of [-231, +231), the value was always
positive and sometimes higher than the supposed upper
bound.

- Roughly every 300 days of uptime, the times() function
would report an error for 4096 seconds, a side-effect of
how system calls are implemented on i386. glibc was
changed to never report an error and crash an
application that would trigger EFAULT by kernel (because
of invalid pointer passed to the times() syscall)
before.

- getifaddrs() would report infiniband interfaces with
corrupted ifa_name structure field.

- getgroups(-1) normally handles the invalid array size
gracefully by setting EINVAL. However, a crash would be
triggered in case the code was compiled using
'-DFORTIFYSOURCE=2 -O2'.

- Pthread cleanup handlers would not always be invoked on
thread cancellation (e.g. in RPC code, but also in other
parts of glibc that may hang outside of a syscall) -
glibc is now compiled with

-fasynchronous-unwind-tables. Some other minor issues
were fixed :

- There was a problem with sprof<->dlopen() interaction
due to a missing flag in the internal dlopen() wrapper.

- On x86_64, backtrace of a static destructor would stop
in the _fini() glibc pseudo-routine, making it difficult
to find out what originally triggered the program
termination. The routine now has unwind information
attached.

- glibc-locale now better coexists with sap-locale on
upgrades by regenerating the locale/gconv indexes
properly.

See also :

http://support.novell.com/security/cve/CVE-2008-1391.html
http://support.novell.com/security/cve/CVE-2010-0015.html
http://support.novell.com/security/cve/CVE-2010-0296.html
http://support.novell.com/security/cve/CVE-2010-0830.html
http://support.novell.com/security/cve/CVE-2010-3847.html
http://support.novell.com/security/cve/CVE-2010-3856.html

Solution :

Apply ZYPP patch number 7201.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 50377 ()

Bugtraq ID:

CVE ID: CVE-2008-1391
CVE-2010-0015
CVE-2010-0296
CVE-2010-0830
CVE-2010-3847
CVE-2010-3856

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now