U radu programskog paketa glibc, namijenjenog operacijskom sustavu Fedora 16, uočen je sigurnosni propust koji zlonamjernim korisnicima omogućuje zaobilaženje pojedinih sigurnosnih ograničenja.
Paket:
glibc 2.x
Operacijski sustavi:
Fedora 16
Problem:
cjelobrojno prepisivanje, pogreška u programskoj funkciji
Iskorištavanje:
lokalno/udaljeno
Posljedica:
zaobilaženje postavljenih ograničenja
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-0864
Izvorni ID preporuke:
FEDORA-2012-2162
Izvor:
Fedora
Problem:
Propust se očituje u prepisivanju cjelobrojne vrijednosti u "nargs".
Posljedica:
Napadaču omogućuje zaobilaženje postavljenih ograničenja.
Rješenje:
Korisnicima se preporuča korištenje novih programskih rješenja.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-2162
2012-02-22 01:38:51
--------------------------------------------------------------------------------
Name : glibc
Product : Fedora 16
Version : 2.14.90
Release : 24.fc16.6
URL : http://www.gnu.org/software/glibc/
Summary : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.
--------------------------------------------------------------------------------
Update Information:
Avoid "nargs" integer overflow which can be used to bypass FORTIFY_SOURCE
protections.
Revert changes for 552960, they're still causing problems.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 20 2012 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-24.fc16.6
- Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE
(#794797)
- Disable 552960/769421 patches again, they're still not right.
* Fri Feb 10 2012 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-24.fc16.5
- Fix lost wakeups in pthread_cond_*. (#552960, #769421)
- Define x86_64 feraiseexcept inline only under __USE_EXTERN_INLINES
(#769993).
* Thu Dec 22 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-24.fc16.4
- Revert change for 552960, it's causing multiple problems.
* Sun Dec 18 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-24.fc16.3
- Check values from TZ file header (#767696)
- Handle EAGAIN from FUTEX_WAIT_REQUEUE_PI (#552960)
- Add {dist}.#
- Correct return value from pthread_create when stack alloction fails.
(#767746)
* Wed Dec 7 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-23
- Fix a wrong constant in powerpc hypot implementation (#750811)
- Truncate time values in Linux futimes when falling back to utime
* Mon Dec 5 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-22
- Mark fortified __FD_ELT as extension (#761021)
- Fix typo in manual (#708455)
* Wed Nov 30 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-21
- Don't fail in makedb if SELinux is disabled (#750858)
- Fix access after end of search string in regex matcher (#757887)
* Mon Nov 28 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-20
- Drop lock before calling malloc_printerr (#757881)
* Fri Nov 18 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-19
- Check malloc arena atomically (BZ#13071)
- Don't call reused_arena when _int_new_arena failed (#753601)
* Wed Nov 16 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-18
- Fix grouping and reuse other locales in various locales (BZ#13147)
* Tue Nov 15 2011 Jeff Law <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.14.90-17
Revert bogus commits/rebasing of Nov 14, Nov 11 and Nov 8. Sources
should be equivalent to Fedora 16's initial release.
* Wed Oct 26 2011 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
2.14.90-15
- Rebuilt for glibc bug#747377
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #794797 - CVE-2012-0864 glibc: F_S format string protection bypass
via "nargs" integer overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=794797
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update glibc' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke