Gentoo Archives: gentoo-announce

From: Chris Reffett <creffett@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201312-01 ] GNU C Library: Multiple vulnerabilities
Date: Tue, 03 Dec 2013 04:14:28
Message-Id: 529D5A12.10109@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201312-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: GNU C Library: Multiple vulnerabilities
9 Date: December 03, 2013
10 Bugs: #350744, #356567, #386323, #386327, #386329, #386333,
11 #386343, #386349, #393477, #404993
12 ID: 201312-01
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities have been found in GNU C Library, the worst of
20 which allowing arbitrary code execution and privilege escalation.
21
22 Background
23 ==========
24
25 The GNU C library is the standard C library used by Gentoo Linux
26 systems.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 sys-libs/glibc < 2.15-r3 >= 2.15-r3
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in GNU C Library. Please
40 review the CVE identifiers referenced below for details.
41
42 Impact
43 ======
44
45 A local attacker could trigger vulnerabilities in dynamic library
46 loader, making it possible to load attacker-controlled shared objects
47 during execution of setuid/setgid programs to escalate privileges.
48
49 A context-dependent attacker could trigger various vulnerabilities in
50 GNU C Library, including a buffer overflow, leading to execution of
51 arbitrary code or a Denial of Service.
52
53 Workaround
54 ==========
55
56 There is no known workaround at this time.
57
58 Resolution
59 ==========
60
61 All GNU C Library users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.15-r3"
65
66 References
67 ==========
68
69 [ 1 ] CVE-2009-5029
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5029
71 [ 2 ] CVE-2010-3847
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3847
73 [ 3 ] CVE-2011-0536
74 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0536
75 [ 4 ] CVE-2011-1071
76 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1071
77 [ 5 ] CVE-2011-1089
78 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1089
79 [ 6 ] CVE-2011-1095
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1095
81 [ 7 ] CVE-2011-1658
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1658
83 [ 8 ] CVE-2011-1659
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1659
85 [ 9 ] CVE-2012-0864
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0864
87
88 Availability
89 ============
90
91 This GLSA and any updates to it are available for viewing at
92 the Gentoo Security Website:
93
94 http://security.gentoo.org/glsa/glsa-201312-01.xml
95
96 Concerns?
97 =========
98
99 Security is a primary focus of Gentoo Linux and ensuring the
100 confidentiality and security of our users' machines is of utmost
101 importance to us. Any security concerns should be addressed to
102 security@g.o or alternatively, you may file a bug at
103 https://bugs.gentoo.org.
104
105 License
106 =======
107
108 Copyright 2013 Gentoo Foundation, Inc; referenced text
109 belongs to its owner(s).
110
111 The contents of this document are licensed under the
112 Creative Commons - Attribution / Share Alike license.
113
114 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature