Mandriva Linux Security Advisory : glibc (MDVSA-2015:168)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.

Synopsis :

The remote Mandriva Linux host is missing one or more security

Description :

Updated glibc packages fix security vulnerabilities :

Stephane Chazelas discovered that directory traversal issue in locale
handling in glibc. glibc accepts relative paths with .. components in
the LC_* and LANG variables. Together with typical OpenSSH
configurations (with suitable AcceptEnv settings in sshd_config), this
could conceivably be used to bypass ForceCommand restrictions (or
restricted shells), assuming the attacker has sufficient level of
access to a file system location on the host to create crafted locale
definitions there (CVE-2014-0475).

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where
posix_spawn_file_actions_addopen fails to copy the path argument
(glibc bz #17048) which can, in conjunction with many common memory
management techniques from an application, lead to a use after free,
or other vulnerabilities (CVE-2014-4043).

This update also fixes the following issues: x86: Disable x87 inline
functions for SSE2 math (glibc bz #16510) malloc: Fix race in free()
of fastbin chunk (glibc bz #15073)

Tavis Ormandy discovered a heap-based buffer overflow in the
transliteration module loading code. As a result, an attacker who can
supply a crafted destination character set argument to iconv-related
character conversation functions could achieve arbitrary code

This update removes support of loadable gconv transliteration modules.
Besides the security vulnerability, the module loading code had
functionality defects which prevented it from working for the intended
purpose (CVE-2014-5119).

Adhemerval Zanella Netto discovered out-of-bounds reads in additional
code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)
that can be used to crash the systems, causing a denial of service
conditions (CVE-2014-6040).

The function wordexp() fails to properly handle the WRDE_NOCMD flag
when processing arithmetic inputs in the form of '$((... ))' where
'...' can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass the
WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).

The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka
glibc) 2.5, 2.12, and probably other versions does not properly
restrict the use of the alloca function when allocating the SPECS
array, which allows context-dependent attackers to bypass the
FORTIFY_SOURCE format-string protection mechanism and cause a denial
of service (crash) or possibly execute arbitrary code via a crafted
format string using positional parameters and a large number of format
specifiers (CVE-2012-3406).

The nss_dns implementation of getnetbyname could run into an infinite
loop if the DNS response contained a PTR record of an unexpected
format (CVE-2014-9402).

Also glibc lock elision (new feature in glibc 2.18) has been disabled
as it can break glibc at runtime on newer Intel hardware (due to
hardware bug)

Under certain conditions wscanf can allocate too little memory for the
to-be-scanned arguments and overflow the allocated buffer

The incorrect use of '__libc_use_alloca (newsize)' caused a different
(and weaker) policy to be enforced which could allow a denial of
service attack (CVE-2015-1473).

See also :

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.8

Family: Mandriva Local Security Checks

Nessus Plugin ID: 82421 ()

Bugtraq ID:

CVE ID: CVE-2012-3406

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now