SB2019081555 - Gentoo update for glibc

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Data Handling (CVE-ID: CVE-2015-8985)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.

2) Out-of-bounds read (CVE-ID: CVE-2016-6263)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted UTF-8 data.

3) Resource exhaustion (CVE-ID: CVE-2018-19591)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to an invalid 'ifname' parameter to __if_nametoindex() in 'sysdeps/unix/sysv/linux/if_index.c'. A remote attacker can invoke a call to the getaddrinfo() function with a 'node' parameter, consume excessive memory and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/201908-06