SB2017032217 - Multiple vulnerabilities in GNU Glibc
Published: March 22, 2017 Updated: June 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2015-8983)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22. A remote attacker can use vectors related to computing a size in bytes to trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Out-of-bounds read (CVE-ID: CVE-2015-8984)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.
3) Buffer overflow (CVE-ID: CVE-2015-20109)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
end_pattern (called from internal_fnmatch) in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash), as demonstrated by use of the fnmatch library function with the **(!() pattern. NOTE: this is not the same as CVE-2015-8984; also, some Linux distributions have fixed CVE-2015-8984 but have not fixed this additional fnmatch issue.
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2017/02/14/9
- http://www.securityfocus.com/bid/72740
- https://sourceware.org/bugzilla/show_bug.cgi?id=17269
- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33
- https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html
- http://www.openwall.com/lists/oss-security/2015/02/26/5
- http://www.securityfocus.com/bid/72789
- https://sourceware.org/bugzilla/show_bug.cgi?id=18032
- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185
- https://sourceware.org/bugzilla/show_bug.cgi?id=18036
- https://security.netapp.com/advisory/ntap-20230731-0009/