SB2019061314 - Multiple vulnerabilities in GNU Glibc
Published: June 13, 2019 Updated: June 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2013-7423)
The vulnerability allows a remote non-authenticated attacker to corrupt data.
The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function.
2) Buffer overflow (CVE-ID: CVE-2015-5277)
The vulnerability allows a local user to execute arbitrary code.
The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.
3) Buffer overflow (CVE-ID: CVE-2014-9984)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd.
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2015/01/28/20
- https://github.com/golang/go/issues/6336
- http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html
- https://sourceware.org/bugzilla/show_bug.cgi?id=15946
- http://www.ubuntu.com/usn/USN-2519-1
- http://www.securityfocus.com/bid/72844
- https://security.gentoo.org/glsa/201602-02
- https://access.redhat.com/errata/RHSA-2016:1207
- http://rhn.redhat.com/errata/RHSA-2015-0863.html
- http://seclists.org/fulldisclosure/2021/Sep/0
- http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1262914
- https://sourceware.org/bugzilla/show_bug.cgi?id=17079
- http://www.securitytracker.com/id/1034196
- http://rhn.redhat.com/errata/RHSA-2015-2172.html
- https://sourceware.org/ml/libc-alpha/2014-09/msg00088.html
- http://www.ubuntu.com/usn/USN-2985-2
- http://www.ubuntu.com/usn/USN-2985-1
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/78092
- https://security.gentoo.org/glsa/201702-11
- http://seclists.org/fulldisclosure/2019/Sep/7
- https://seclists.org/bugtraq/2019/Sep/7
- http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html
- http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html
- http://seclists.org/fulldisclosure/2019/Jun/18
- http://www.securityfocus.com/bid/99071
- https://seclists.org/bugtraq/2019/Jun/14
- https://sourceware.org/bugzilla/show_bug.cgi?id=16695
- https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=c44496df2f090a56d3bf75df930592dac6bba46f