OracleVM 3.3 : glibc (OVMSA-2014-0033)

High Nessus Plugin ID 79548


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,

- Switch gettimeofday from INTUSE to libc_hidden_proto (#1099025).

- Fix stack overflow due to large AF_INET6 requests (CVE-2013-4458, #1111460).

- Fix buffer overflow in readdir_r (CVE-2013-4237, #1111460).

- Fix memory order when reading libgcc handle (#905941).

- Fix format specifier in malloc_info output (#1027261).

- Fix nscd lookup for innetgr when netgroup has wildcards (#1054846).

- Add mmap usage to malloc_info output (#1027261).

- Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (#1087833).

- [ppc] Add VDSO IFUNC for gettimeofday (#1028285).

- [ppc] Fix ftime gettimeofday internal call returning bogus data (#1099025).

- Also relocate in dependency order when doing symbol dependency testing (#1019916).

- Fix infinite loop in nscd when netgroup is empty (#1085273).

- Provide correct buffer length to netgroup queries in nscd (#1074342).

- Return NULL for wildcard values in getnetgrent from nscd (#1085289).

- Avoid overlapping addresses to stpcpy calls in nscd (#1082379).

- Initialize all of datahead structure in nscd (#1074353).

- Return EAI_AGAIN for AF_UNSPEC when herrno is TRY_AGAIN (#1044628).

- Do not fail if one of the two responses to AF_UNSPEC fails (#845218).

- nscd: Make SELinux checks dynamic (#1025933).

- Fix race in free of fastbin chunk (#1027101).

- Fix copy relocations handling of unique objects (#1032628).

- Fix encoding name for IDN in getaddrinfo (#981942).

- Fix return code from getent netgroup when the netgroup is not found (#1039988).

- Fix handling of static TLS in dlopen'ed objects (#995972).

- Don't use alloca in addgetnetgrentX (#1043557).

- Adjust pointers to triplets in netgroup query data (#1043557).


Update the affected glibc / glibc-common / nscd packages.

See Also

Plugin Details

Severity: High

ID: 79548

File Name: oraclevm_OVMSA-2014-0033.nasl

Version: $Revision: 1.6 $

Type: local

Published: 2014/11/26

Modified: 2017/02/14

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:glibc, p-cpe:/a:oracle:vm:glibc-common, p-cpe:/a:oracle:vm:nscd, cpe:/o:oracle:vm_server:3.3

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/11/04

Reference Information

CVE: CVE-2013-4237, CVE-2013-4458, CVE-2014-0475, CVE-2014-5119

BID: 61729, 63299, 68505, 68983, 69738

OSVDB: 96318, 98836, 108943, 109188