[security-announce] glibc: CVE-2015-8777 Security Update

Sona Sarmadi sona.sarmadi at enea.com
Thu Feb 4 07:51:22 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: glibc 2.20
Severity: Low
CVE Name: CVE-2015-8777
Layer: poky
=========================================================

This security update fixes CVE-2015-8777: LD_POINTER_GUARD in the
environment is not sanitized.

Description:
The process_envvars function in elf/rtld.c in the GNU C Library (aka
glibc or libc6) before 2.23 allows local users to bypass a
pointer-guarding protection mechanism via a zero value of the
LD_POINTER_GUARD environment variable.

References:
https://sourceware.org/bugzilla/show_bug.cgi?id=18928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777
Reproducing steps available at:
http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html CVE request:
http://seclists.org/oss-sec/2015/q3/504

Upstream patch:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b
71b70a6a843e250e06b541ad524f7

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=1ad606237b61bc851e2597
6ba69f458374287f78

How to get the latest patches
=============================
- - If you have already cloned meta-enea, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- - If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git


If you have any questions regarding the security patches and security
updates please contact security at enea.com.


Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWsvTqAAoJEAilI68fskZdSVsIALgekjtMyiaX6XRGskjVSivw
Fv4nnHRJgr+SF6ixBuD2iO6HAu5dIDFVysQd2RoqP5lSDWWHqc16CuXho8oKAjIN
752rToJEKwxnxuianLOXtYt4ygvYeLEqxamIfPNrVjRYKBuZI2ZDStP2gYC95xJF
z7YVDrqOZvwCeYhOVwmyRTFtgAmjywct9c25uoTtt5i3iZyLIae1MYQl7C8YhxJa
5+M8/VeOeP7yES/uOyxwzlOqTtlNbKH8PSg7uu29O6WoaO1E3MDctHWIj/lEb/bm
8NygFyxoizd28Nw0plfaatasCLTo9uWnuK+mm0i6F7wVef0lJArCcdQwMn1/gk4=
=lnbs
-----END PGP SIGNATURE-----



More information about the security-announce mailing list