Rapid7 Vulnerability & Exploit Database

RHSA-2003:325: Updated glibc packages provide security and bug fixes

Back to Search

RHSA-2003:325: Updated glibc packages provide security and bug fixes

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
10/20/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated glibc packages that resolve vulnerabilities and address several bugs are now available.

The glibc packages contain GNU libc, which provides standard system libraries. A bug in the getgrouplist function can cause a buffer overflow if the size of the group list is too small to hold all the user's groups. This overflow can cause segmentation faults in user applications, which may have security implications, depending on the application in question. This vulnerability exists only when an administrator has placed a user in a number of groups larger than that expected by an application. Therefore, there is no risk in instances where users are members of few groups. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0689 to this issue. Herbert Xu reported that various applications can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. In Red Hat Linux 9 and later, the glibc function getifaddrs uses netlink and could therefore be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0859 to this issue. In addition to the security issues, a number of other bugs were fixed. Users are advised to upgrade to these erratum packages, which contain a patch that checks that netlink messages actually came from the kernel, a backported security patch for the getgroups list vulnerability, and patches for the various bug fixes. [Update 2003-11-13]: The packages for Red Hat Linux 9 have been updated for compatibility with kernels not provided by Red Hat.

Solution(s)

  • redhat-upgrade-glibc
  • redhat-upgrade-glibc-common
  • redhat-upgrade-glibc-debug
  • redhat-upgrade-glibc-debug-static
  • redhat-upgrade-glibc-devel
  • redhat-upgrade-glibc-profile
  • redhat-upgrade-glibc-utils
  • redhat-upgrade-nptl-devel
  • redhat-upgrade-nscd

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;