Rapid7 Vulnerability & Exploit Database

RHSA-2012:0126: glibc security update

Back to Search

RHSA-2012:0126: glibc security update

Severity
7
CVSS
(AV:L/AC:M/Au:N/C:C/I:C/A:C)
Published
03/30/2011
Created
07/25/2018
Added
02/21/2012
Modified
07/04/2017

Description

The glibc packages contain the standard C libraries used by multipleprograms on the system. These packages contain the standard C and thestandard math libraries. Without these two libraries, a Linux system cannotfunction properly.An integer overflow flaw, leading to a heap-based buffer overflow, wasfound in the way the glibc library read timezone files. If acarefully-crafted timezone file was loaded by an application linked againstglibc, it could cause the application to crash or, potentially, executearbitrary code with the privileges of the user running the application.(CVE-2009-5029)A flaw was found in the way the ldd utility identified dynamically linkedlibraries. If an attacker could trick a user into running ldd on amalicious binary, it could result in arbitrary code execution with theprivileges of the user running ldd. (CVE-2009-5064)An integer overflow flaw, leading to a heap-based buffer overflow, wasfound in the way the glibc library loaded ELF (Executable and LinkingFormat) files. If a carefully-crafted ELF file was loaded by anapplication linked against glibc, it could cause the application to crashor, potentially, execute arbitrary code with the privileges of the userrunning the application. (CVE-2010-0830)It was found that the glibc addmntent() function, used by various mounthelper utilities, did not handle certain errors correctly when updating themtab (mounted file systems table) file. If such utilities had the setuidbit set, a local attacker could use this flaw to corrupt the mtab file.(CVE-2011-1089)A denial of service flaw was found in the remote procedure call (RPC)implementation in glibc. A remote attacker able to open a large number ofconnections to an RPC service that is using the RPC implementation fromglibc, could use this flaw to make that service use an excessive amount ofCPU time. (CVE-2011-4609)Red Hat would like to thank the Ubuntu Security Team for reportingCVE-2010-0830, and Dan Rosenberg for reporting CVE-2011-1089. The UbuntuSecurity Team acknowledges Dan Rosenberg as the original reporter ofCVE-2010-0830.Users should upgrade to these updated packages, which resolve these issues.

Solution(s)

  • redhat-upgrade-glibc
  • redhat-upgrade-glibc-common
  • redhat-upgrade-glibc-devel
  • redhat-upgrade-glibc-headers
  • redhat-upgrade-glibc-utils
  • redhat-upgrade-nscd

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;