SuSE9 Security Update : glibc (YOU Patch Number 12641)

High Nessus Plugin ID 49758


The remote SuSE 9 host is missing a security-related patch.


Several security issues were fixed :

- Integer overflow causing arbitrary code execution in --verify mode could be induced by a specially crafted binary. (CVE-2010-0830)

- The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296)

- The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391)

Also one non-security issue was fixed: - nscd in the paranoia mode would crash on the periodic restart in case one of the databases was disabled in the nscd configuration.

In addition, the timezone information was updated to the level of 2010l, including the following changes :

- Africa/Cairo (Egypt) and Asia/Gaza (Palestine) do not use daylight saving during the month of Ramadan in order to prevent Muslims from fasting one hour longer. .html st-2010.html

- Africa/Casablanca (Marocco) has spent the period from May 2 to Aug 8 using daylight saving. Marocco adopted regular daylight saving, but the start and end dates vary every year. 2010.html

- America/Argentina/San_Luis (Argentina region) local government did not terminate its DST period as planned and instead decided to extend its use of the UTC-3 time indefinitely. 08.html

New zones :

- America/Bahia_Banderas (Mexican state of Nayarit) has declared that it is to follow the UCT-6 time instead of UCT-7, with the aim to have the same time as the nearby city of Puerto Vallarta.

Historical changes :

- Asia/Taipei information on DST usage listed 1980 as one year using DST, which should read 1979 instead according to government resources.

- Europe/Helsinki, before switching to Central European standard DST in 1983, trialled DST for two years.
However, the database omitted to specify that in these trials of 1981 and 1982, switches have been made one hour earlier than in 1983.

Spelling changes in Micronesia: - Pacific/Truk has been renamed to Pacific/Chuuk in 1989. - Pacific/Ponape has been renamed to Pacific/Pohnpei in 1984.


Apply YOU patch number 12641.

See Also

Plugin Details

Severity: High

ID: 49758

File Name: suse9_12641.nasl

Version: $Revision: 1.2 $

Type: local

Agent: unix

Published: 2010/10/06

Modified: 2012/04/23

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:suse:suse_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2010/08/25

Reference Information

CVE: CVE-2008-1391, CVE-2010-0296, CVE-2010-0830

CWE: 189