glibc
Mandriva Linux Security Advisory MDVSA-2010:111
http://www.mandriva.com/security/
_______________________________________________________________________
Package : glibc
Date : June 8, 2010
Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Debian Security Advisory DSA-2058-1 security@debian.org
http://www.debian.org/security/ Aurelien Jarno
June 10, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : glibc, eglibc
Vulnerability : multiple
Problem type : remote (local)
Debian-specific: no
CVE Id(s) : CVE-2008-1391 CVE-2009-4880, CVE-2009-4881
CVE-2010-0296 CVE-2010-0830
search paths in the same string are processed). $ORIGIN sequences within a
DT_NEEDED entry or path passed as a parameter to dlopen() are treated as
errors. The same restrictions may be applied to processes that have more than
minimal privileges on systems with installed extended security mechanisms."
However, glibc ignores this recommendation. The attack the ELF designers were
likely concerned about is users creating hardlinks to suid executables in
directories they control and then executing them, thus controlling the
expansion of $ORIGIN.
It is tough to form a thorough complaint about this glibc behaviour however,
Debian Security Advisory DSA-1973-1 security@debian.org
http://www.debian.org/security/ Aurelien Jarno
January 19, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : glibc, eglibc
Vulnerability : information disclosure
Problem type : local
Debian-specific: no
CVE Id : CVE-2010-0015
Debian Bug : 560333
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0001
Synopsis: VMware ESX third party updates for Service Console
packages glibc, sudo, and openldap
Issue date: 2011-01-04
Updated on: 2011-01-04 (initial release of advisory)
CVE numbers: CVE-2010-3847 CVE-2010-385 CVE-2010-2956
CVE-2010-0211 CVE-2010-0212
- ------------------------------------------------------------------------
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in glibc, the worst of which
allowing local attackers to execute arbitrary code as root.
Background
==========
===========================================================
Ubuntu Security Notice USN-944-1 May 25, 2010
glibc, eglibc vulnerabilities
CVE-2008-1391, CVE-2010-0296, CVE-2010-0830
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
LITTLE ANALYSIS
===============
MPlayer svn 20070729 (last version)
1:new_mplayer_avihead_poc3.avi null pointer in winxp or glibc 2.5(depend
on compile option).
if glibc <2.5(maybe prior) or win2000 sp4 ,it will be heap overflow.
vulnerability code in libmpdemux/aviheader.c:
Please see http://seclists.org/fulldisclosure/2010/Oct/257 for background
information.
For obvious reasons, the dynamic linker will ignore requests to preload user
specified libraries for setuid/setgid programs. However, it is possible to
imagine legitimate use cases for this functionality, so the glibc developers
provide an exception to this rule.
LD_PRELOAD
A whitespace-separated list of additional, user-specified, ELF
shared libraries to be loaded before all others. This can be
http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076294.html
On Ubuntu, xterm is setgid utmp, which might make it an interesting
target for local attacks. However, you'll need to check if it's
already dropped group utmp privileges by the time this overflow
happens. In either case, glibc heap protection probably makes this
very difficult or impossible to exploit anyway.
-Dan
On Sun, Oct 10, 2010 at 11:07 PM, watercloud watercloud
}
As we can see in [3] to decode packet is using function dn_expand().
This function return strange value for some 'special bad' packets!
Is it bug? - for me yes becouse in manual and other docs i don't find
information about it - i saw that in glibc code - ok nvm. This function
return decoded string in this situation in buffer 'namestring' and length
for this bufor is MAXDNAME. Bufor 'namestring' is declarated here:
"dns.c"
char namestring[1024+1];
Mandriva Linux Security Advisory MDVSA-2010:212
http://www.mandriva.com/security/
_______________________________________________________________________
Package : glibc
Date : October 24, 2010
Affected: 2009.0, 2009.1, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Mandriva Linux Security Advisory MDVSA-2010:207
http://www.mandriva.com/security/
_______________________________________________________________________
Package : glibc
Date : October 20, 2010
Affected: 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0,
Enterprise Server 5.0
_______________________________________________________________________
Hi,all !
I find xterm on ubuntu 10.04 have a local heap overflow,
I don't known that can it be exploit on glibc 2.11 .
detail :
watercloud@ubuntu:~/Downloads$ ls -l `which xterm`
-rwxr-sr-x 1 root utmp 354444 2010-03-31 17:47 /usr/bin/xterm
That's true. But the worst implementation of lib C is GNU. There is a huge difference using proftpd on NetBSD and Linux
- --- 3. Stack Exhausions ---
Stack Exhausions was found in GNU glibc.
- ---PoC3---
/bin/egrep "/(.*+++++++++++++++++++++++++++++(\w+))/im" cx
- ---PoC3---
Debian Security Advisory DSA-2122-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
October 22, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : glibc
Vulnerability : missing input sanitization
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2010-3847 CVE-2010-3856
Debian Bug : 600667
| | across multiple HTTP queries to hold manager state. |
| | |
| | "The issue is the generation of session ids in the |
| | AsteriskGUI HTTP server. |
| | |
| | When using Glibc, the implementation and state of rand() |
| | and random() is |
| | |
| | shared. Asterisk uses random() to issue MD5 digest |
| | authentication |
| | |
will misinterpret this condition, and believe that the buffer was too small,
and reallocate a bigger one (with linearly increasing buffer size), and repeat,
until the allocation fails. At that point, fetchmail will abort.
The exact combination of contributing and mitigating factors is not
fully understood; GNU glibc 2.7 and 2.10.1 on i586 report EILSEQ when
printing invalid sequences through a %.*s format string in multibyte
locales such as de_DE.UTF-8; NetBSD 5, FreeBSD 8 and Solaris 10 do not.
However, the issue is a genuine fetchmail bug that deserves a fix.
Note that the "Affects:" line above may be inaccurate, and it may be that
Debian Security Advisory DSA-1605-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
July 08, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : glibc
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113
Intrusion Detection Systems Correlation: a Weapon of Mass
Investigation - Sebastien Tricaud and Pierre Chifflier, INL
Web Wreck-utation - Dan Hubbard and Stephan Chenette, WebSense
Secure programming with gcc and glibc - Marcel Holtmann, Intel
Mobitex network security - olleB, toolcrypt.org
Peach Fuzzing - Michael Eddington, Leviathan
===========================================================
Ubuntu Security Notice USN-1009-1 October 22, 2010
glibc, eglibc vulnerabilities
CVE-2010-3847, CVE-2010-3856
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 9.04
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
Unix-like systems) and MSVCRT (used with Microsoft's MSVC for
Windows) are shown to be easily predictable, thus enabling an
attacker to predict the DNS queries sent by PowerDNS Recursor,
and in turn mount an efficient and effective DNS cache poisoning
attack (or a pharming attack, as it is often called today).
open("/usr/tmp/somethingfoo_foo_foo_foo_foo_foo_[OMIT]foo_foo_f",
O_RDONLY) = -1 ENAMETOOLONG (File name too long)
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Will result in ENAMETOOLONG but this limitation of glibc can be overcame
using directories.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
strace -e open -s 100000 php -r
n = vsnprintf (partial_message + partial_message_size_used,
partial_message_size - partial_message_size_used,
message, args);
+ va_end(args);
/* old glibc versions return -1 for truncation */
if (n >= 0
@@ -322,7 +328,6 @@ report_complete (FILE *errfp, message, va_alist)
partial_message_size += 2048;
partial_message = REALLOC (partial_message, partial_message_size);
}
>
> and example code
> calloc(0x10000001, 0x10);
>
> it will return NULL in winxp or gligc 2.5
> it will return 0x10 sizes heap in glibc <2.5(maybe prior) or
> win2000 sp4
This bug has been fixed in GNU libc CVS in August 2002. I've just
checked version 2.3.6, and it does return NULL on overflow. There is,
however, a different version of calloc that GDB sees, but this is not
|
