SB2014102403 - Slackware Linux update for glibc

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014102403

SB2014102403 - Slackware Linux update for glibc

Published: October 24, 2014 Updated: June 28, 2025

Security Bulletin ID SB2014102403
Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Stack-based buffer overflow (CVE-ID: CVE-2012-4424)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing a long string that triggers a malloc failure and use of the alloca function. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Heap-based buffer overflow (CVE-ID: CVE-2012-4412)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier. A remote attacker can use a long string to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Buffer overflow (CVE-ID: CVE-2013-4237)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image.


4) Input validation error (CVE-ID: CVE-2013-4788)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address. Additional information that was taken into consideration while scoring: https://bugzilla.redhat.com/show_bug.cgi?id=985625


5) Input validation error (CVE-ID: CVE-2013-4458)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results.


6) Code Injection (CVE-ID: CVE-2014-4043)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.


7) Path traversal (CVE-ID: CVE-2014-0475)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.


8) Input validation error (CVE-ID: CVE-2014-5119)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules.


9) Buffer overflow (CVE-ID: CVE-2014-6040)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of "0xffff" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8.


Remediation

Install update from vendor's website.

References