Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : eglibc, glibc regression (USN-3239-2)

Ubuntu Security Notice (C) 2017 Canonical, Inc. / NASL script (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

USN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately,
the fix for CVE-2015-5180 introduced an internal ABI change within the
resolver library. This update reverts the change. We apologize for the
inconvenience.

Please note that long-running services that were restarted to
compensate for the USN-3239-1 update may need to be restarted again.

It was discovered that the GNU C Library incorrectly handled the
strxfrm() function. An attacker could use this issue to cause a denial
of service or possibly execute arbitrary code. This issue only
affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)

It was discovered that an integer overflow existed in the
_IO_wstr_overflow() function of the GNU C Library. An
attacker could use this to cause a denial of service or
possibly execute arbitrary code. This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8983)

It was discovered that the fnmatch() function in the GNU C
Library did not properly handle certain malformed patterns.
An attacker could use this to cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2015-8984)

Alexander Cherepanov discovered a stack-based buffer
overflow in the glob implementation of the GNU C Library. An
attacker could use this to specially craft a directory
layout and cause a denial of service. (CVE-2016-1234)

Florian Weimer discovered a NULL pointer dereference in the
DNS resolver of the GNU C Library. An attacker could use
this to cause a denial of service. (CVE-2015-5180)

Michael Petlan discovered an unbounded stack allocation in
the getaddrinfo() function of the GNU C Library. An attacker
could use this to cause a denial of service. (CVE-2016-3706)

Aldy Hernandez discovered an unbounded stack allocation in
the sunrpc implementation in the GNU C Library. An attacker
could use this to cause a denial of service. (CVE-2016-4429)

Tim Ruehsen discovered that the getaddrinfo() implementation
in the GNU C Library did not properly track memory
allocations. An attacker could use this to cause a denial of
service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-5417)

Andreas Schwab discovered that the GNU C Library on ARM
32-bit platforms did not properly set up execution contexts.
An attacker could use this to cause a denial of service.
(CVE-2016-6323).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected libc6 package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 97887 ()

Bugtraq ID:

CVE ID: CVE-2015-5180
CVE-2015-8982
CVE-2015-8983
CVE-2015-8984
CVE-2016-1234
CVE-2016-3706
CVE-2016-4429
CVE-2016-5417
CVE-2016-6323

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now