{ "Definition": [ { "ID": "oval:org.altlinux.errata:def:20162499", "Version": "oval:org.altlinux.errata:def:20162499", "Class": "patch", "Metadata": { "Title": "ALT-PU-2016-2499: package `glibc` update to version 2.24-alt1", "AffectedList": [ { "Family": "unix", "Platforms": [ "ALT Linux branch c9f2" ], "Products": [ "ALT SPWorkstation", "ALT SPServer" ] } ], "References": [ { "RefID": "ALT-PU-2016-2499", "RefURL": "https://errata.altlinux.org/ALT-PU-2016-2499", "Source": "ALTPU" }, { "RefID": "BDU:2022-04623", "RefURL": "https://bdu.fstec.ru/vul/2022-04623", "Source": "BDU" }, { "RefID": "BDU:2022-05945", "RefURL": "https://bdu.fstec.ru/vul/2022-05945", "Source": "BDU" }, { "RefID": "CVE-2016-1234", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-1234", "Source": "CVE" }, { "RefID": "CVE-2016-3075", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-3075", "Source": "CVE" }, { "RefID": "CVE-2016-4429", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-4429", "Source": "CVE" }, { "RefID": "CVE-2016-5417", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-5417", "Source": "CVE" }, { "RefID": "CVE-2017-16997", "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-16997", "Source": "CVE" } ], "Description": "This update upgrades glibc to version 2.24-alt1. \nSecurity Fix(es):\n\n * BDU:2022-04623: Уязвимость функции clntudp_call (sunrpc/clnt_udp.c) в библиотеке GNU C (glibc или libc6), связанная с записью за границами буфера в памяти, позволяющая нарушителю вводить и выполнять произвольные команды или вызвать отказ в обслуживании\n\n * BDU:2022-05945: Уязвимость функций fillin_rpath, decompose_rpath системной библиотеки GNU C Library, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании\n\n * CVE-2016-1234: Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.\n\n * CVE-2016-3075: Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name.\n\n * CVE-2016-4429: Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.\n\n * CVE-2016-5417: Memory leak in the __res_vinit function in the IPv6 name server management code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows remote attackers to cause a denial of service (memory consumption) by leveraging partial initialization of internal resolver data structures.\n\n * CVE-2017-16997: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.", "Advisory": { "From": "errata.altlinux.org", "Severity": "High", "Rights": "Copyright 2024 BaseALT Ltd.", "Issued": { "Date": "2016-12-27" }, "Updated": { "Date": "2016-12-27" }, "BDUs": [ { "ID": "BDU:2022-04623", "CVSS": "AV:N/AC:H/Au:N/C:N/I:N/A:C", "CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-404, CWE-787", "Href": "https://bdu.fstec.ru/vul/2022-04623", "Impact": "Low", "Public": "20160518" }, { "ID": "BDU:2022-05945", "CVSS": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "CVSS3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "CWE": "CWE-426", "Href": "https://bdu.fstec.ru/vul/2022-05945", "Impact": "High", "Public": "20171217" } ], "CVEs": [ { "ID": "CVE-2016-1234", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-119", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-1234", "Impact": "High", "Public": "20160601" }, { "ID": "CVE-2016-3075", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-119", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-3075", "Impact": "High", "Public": "20160601" }, { "ID": "CVE-2016-4429", "CVSS": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-787", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-4429", "Impact": "Low", "Public": "20160610" }, { "ID": "CVE-2016-5417", "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "CWE": "CWE-399", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-5417", "Impact": "High", "Public": "20170217" }, { "ID": "CVE-2017-16997", "CVSS": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "CVSS3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "CWE": "CWE-426", "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-16997", "Impact": "High", "Public": "20171218" } ], "AffectedCPEs": { "CPEs": [ "cpe:/o:alt:spworkstation:8.4", "cpe:/o:alt:spserver:8.4" ] } } }, "Criteria": { "Operator": "AND", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:4001", "Comment": "ALT Linux must be installed" } ], "Criterias": [ { "Operator": "OR", "Criterions": [ { "TestRef": "oval:org.altlinux.errata:tst:20162499001", "Comment": "glibc is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499002", "Comment": "glibc-core is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499003", "Comment": "glibc-debug is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499004", "Comment": "glibc-devel is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499005", "Comment": "glibc-devel-static is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499006", "Comment": "glibc-doc is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499007", "Comment": "glibc-gconv-modules is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499008", "Comment": "glibc-i18ndata is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499009", "Comment": "glibc-locales is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499010", "Comment": "glibc-nss is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499011", "Comment": "glibc-preinstall is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499012", "Comment": "glibc-pthread is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499013", "Comment": "glibc-timezones is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499014", "Comment": "glibc-utils is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499015", "Comment": "iconv is earlier than 6:2.24-alt1" }, { "TestRef": "oval:org.altlinux.errata:tst:20162499016", "Comment": "nscd is earlier than 6:2.24-alt1" } ] } ] } } ] }