Updated glibc packages that resolve vulnerabilities and address several bugs are now available.
The glibc packages contain GNU libc, which provides standard system libraries. A bug in the getgrouplist function can cause a buffer overflow if the size of the group list is too small to hold all the user's groups. This overflow can cause segmentation faults in user applications, which may have security implications, depending on the application in question. This vulnerability exists only when an administrator has placed a user in a number of groups larger than that expected by an application. Therefore, there is no risk in instances where users are members of few groups. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0689 to this issue. Herbert Xu reported that various applications can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. In Red Hat Linux 9 and later, the glibc function getifaddrs uses netlink and could therefore be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0859 to this issue. In addition to the security issues, a number of other bugs were fixed. Users are advised to upgrade to these erratum packages, which contain a patch that checks that netlink messages actually came from the kernel, a backported security patch for the getgroups list vulnerability, and patches for the various bug fixes. [Update 2003-11-13]: The packages for Red Hat Linux 9 have been updated for compatibility with kernels not provided by Red Hat.