openSUSE Security Update: glibc: Security update to fix various security problems and
Announcement ID: openSUSE-SU-2010:0914-1
References: #375315 #445636 #513961 #534828 #537315 #538067
#541773 #569091 #572188 #585879 #592941 #594263
Cross-References: CVE-2008-1391 CVE-2010-0015 CVE-2010-0296
CVE-2010-0830 CVE-2010-3847 CVE-2010-3856
An update that solves 6 vulnerabilities and has 8 fixes is
This update of glibc fixes various bugs and security issues:
CVE-2010-3847: Decoding of the $ORIGIN special value in
various LD_ environment variables allowed local attackers
to execute code in context of e.g. setuid root programs,
elevating privileges. This issue does not affect SUSE as
an assertion triggers before the respective code is
executed. The bug was fixed nevertheless.
CVE-2010-3856: The LD_AUDIT environment was not pruned
during setuid root execution and could load shared
libraries from standard system library paths. This could be
used by local attackers to inject code into setuid root
programs and so elevated privileges.
CVE-2010-0830: Integer overflow causing arbitrary code
execution in ld.so
--verify mode could be induced by a specially crafted
CVE-2010-0296: The addmntent() function would not escape
the newline character properly, allowing the user to insert
arbitrary newlines to the /etc/mtab; if the addmntent() is
run by a setuid mount binary that does not do extra input
checking, this would allow custom entries to be inserted in
CVE-2008-1391: The strfmon() function contains an integer
overflow vulnerability in width specifiers handling that
could be triggered by an attacker that can control the
format string passed to strfmon().
CVE-2010-0015: Some setups (mainly Solaris-based legacy
setups) include shadow information (password hashes) as
so-called "adjunct passwd" table, mangling it with the rest
of passwd columns instead of keeping it in the shadow
table. Normally, Solaris will disclose this information
only to clients bound to a priviledged port, but when nscd
is deployed on the client, getpwnam() would disclose the
password hashes to all users. New mode "adjunct as shadow"
can now be enabled in /etc/default/nss that will move the
password hashes from the world-readable passwd table to
emulated shadow table (that is not cached by nscd).
Some invalid behaviour, crashes and memory leaks were fixed:
- statfs64() would not function properly on IA64 in ia32el
- memcpy() and memset() on power6 would erroneously use a
64-bit instruction within 32-bit code in certain corner
- nscd would not load /etc/host.conf properly before
performing host resolution - most importantly, `multi on`
in /etc/host.conf would be ignored when nscd was used,
breaking e.g. resolving records in /etc/hosts where
single name would point at multiple addresses
- Removed mapping from lowercase sharp s to uppercase sharp
S; uppercase S is not a standardly used letter and causes
problems for ISO encodings.
Some other minor issues were fixed:
- glibc-locale now better coexists with sap-locale on
upgrades by regenerating the locale/gconv indexes
- Ports 623 and 664 may not be allocated by RPC code
automatically anymore since that may clash with ports
used on some IPMI network cards.
- On x86_64, backtrace of a static destructor would stop in
the _fini() glibc pseudo-routine, making it difficult to
find out what originally triggered the program
termination. The routine now has unwind information
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 11.1:
zypper in -t patch glibc-3399
To bring your system up-to-date, use "zypper patch".
- openSUSE 11.1 (i586 i686 ppc x86_64):
- openSUSE 11.1 (x86_64):
- openSUSE 11.1 (ppc):