[security-announce] glibc: Security update

Sona Sarmadi sona.sarmadi at enea.com
Fri Sep 25 10:09:17 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		Enea Linux Security Advisory
	
=========================================================
Product/package: Enea-Linux-5.0-beta-m400/glibc 2.20
Severity: Low
CVE Name: CVE-2015-1472
=========================================================
This security update fixes a heap-based buffer overflow
in glibc swscanf.

Under certain conditions wscanf can allocate too little memory
for the to-be-scanned arguments and overflow the allocated
buffer. The implementation now correctly computes the required
buffer size when using malloc.

Affected versions are: glibc or libc6 before 2.21.

Signed patch and README files
================================
0035-glibc-wscanf-CVE-2015-1472.patch
0035-glibc-wscanf-CVE-2015-1472.patch.sig
0035-glibc-wscanf-CVE-2015-1472.README.asc

Description
===========
The ADDW macro in stdio-common/vfscanf.c in the GNU C Library
(aka glibc or libc6) before 2.21 does not properly consider
data-type size during memory allocation, which allows context-
dependent attackers to cause a denial of service (buffer
overflow) or possibly have unspecified other impact via a
long line containing wide characters that are improperly
handled in a wscanf call.

References
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
http://www.openwall.com/lists/oss-security/2015/02/01/8

Upstream bug report:
https://sourceware.org/bugzilla/show_bug.cgi?id=16618

Upstream fix:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=
5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/5.0-beta-m400/\
Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0035-glibc-wscanf-CVE-2015-1472.patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0035-glibc-wscanf-CVE-2015-1472.patch.sig
gpg --verify 0035-glibc-wscanf-CVE-2015-1472.patch.sig
patch -p1 < ./0035-glibc-wscanf-CVE-2015-1472.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWBQEtAAoJEHc+9u9ocWoU/GsP/RNNJNVW6lVfX3JprWpGMFmh
baKFnnZCP107KfUTZFL4GASC/WBeXWgDpK8j8QSPT6ksqSgdYezRLG7mTJS+hYW+
oj5/Zxo1hmzyGv8xGdCs2q56waNyGZeZF4DNvfaADePJpx4JFcN9xr4PhPRRRoNM
tehkkptCP/7nwMJ6kP/xe0Q73hiCIMDwgvo8TD0bMfSQmGGJLyKmdliwAcCmOzrt
+Q2ZH2y7x6qXchtK0fl/rYEoEXPHlk1SEz9xMYpF4Uxe4zNq0rHjrmjUT37f8C6I
zW+DpH5b+aRjpVuo+L9+SDysCpILA5nmWjtcdCdtS/IlEbM8lhrHlrVm4mp8uXRE
kgIB/69B6q3UfwrC4TNARqoazQ+dXoWZbjcq854KnftAk3unl0Kg7vqwZBLXKz8z
urV6FBg+v5VA5VvhLdi6+nB54ZRVQHX5+o9Jqc7p6GOHMNTxSuoZ7lna3UWN2bhi
AyZTQJtEKAnJwY1gdB3POA5BTfn0Car0V3yjz9m8KXFjnsFSUGsFepEDeBN1Vc9e
GovY/N5sorFWouKQwQ9Gad1MDG12iSTBZwtZGoAp1QXuPH7jT08odekIZCKCa1HU
/vTBEMTMqUTjHw3W4UxaoDWx7yXp/hZPvoQrm/89xsrfOdNHYJTTkMxrSaW5uEmj
9GfN9wvPDSk5vBNa8K8b
=FDoc
-----END PGP SIGNATURE-----



More information about the security-announce mailing list