Rapid7 Vulnerability & Exploit Database

RHSA-2001:160: Updated glibc packages are available

Back to Search

RHSA-2001:160: Updated glibc packages are available

Severity
5
CVSS
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Published
12/21/2001
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated glibc packages are available to fix an overflowable buffer and for 7.x to fix a couple of non-security related bugs.

An overflowable buffer exists in earlier versions of glibc glob(3) implementation. It may be possible to exploit programs that pass user modifiable input to the glibc glob function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0886 to this issue. This errata also fixes a couple of non-security related bugs in glibc packages for Red Hat Linux 7.x. There was a bug in the dynamic linker which caused DT_RUNPATH dynamic tags (e.g. created by GNU ld with --enable-new-dtags -rpath DIR options) to behave the same way as mere DT_RPATH tag, ie. search paths in it couldn't be overridden by LD_LIBRARY_PATH environment variable; this is fixed in the updated packages, as well as a strndup bug when strndup was used with string literal argument and a typo in <inttypes.h> header. It is recommended that all users upgrade to provided packages. We'd like to thank Flavio Veloso <flaviovs@magnux.com> for discovering this buffer overflow problem.

Solution(s)

  • redhat-upgrade-glibc
  • redhat-upgrade-glibc-common
  • redhat-upgrade-glibc-devel
  • redhat-upgrade-glibc-profile
  • redhat-upgrade-nscd

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;