Main Vulnerability Database SB2022040637

SB2022040637 - SUSE update for glibc

Published: April 6, 2022

Security Bulletin ID SB2022040637

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use-after-free (CVE-ID: CVE-2020-1752)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the glob() function in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username are affected by this issue. A local user can create a specially crafted path that, when processed by the glob() function, would potentially lead to arbitrary code execution.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2022/suse-su-20221123-1/

Vulnerable Software

SUSE OpenStack Cloud Crowbar: 8
SUSE Linux Enterprise Server for SAP: 12-SP3
HPE Helion Openstack: 8
SUSE Linux Enterprise Server: 12-SP2-BCL - 12-SP3-LTSS
SUSE OpenStack Cloud: 8
nscd-debuginfo: before 2.22-123.1
nscd: before 2.22-123.1
glibc-profile-32bit: before 2.22-123.1
glibc-profile: before 2.22-123.1
glibc-locale-debuginfo-32bit: before 2.22-123.1
glibc-locale-debuginfo: before 2.22-123.1
glibc-locale-32bit: before 2.22-123.1
glibc-locale: before 2.22-123.1
glibc-devel-debuginfo-32bit: before 2.22-123.1
glibc-devel-debuginfo: before 2.22-123.1
glibc-devel-32bit: before 2.22-123.1
glibc-devel: before 2.22-123.1
glibc-debugsource: before 2.22-123.1
glibc-debuginfo-32bit: before 2.22-123.1
glibc-debuginfo: before 2.22-123.1
glibc-32bit: before 2.22-123.1
glibc: before 2.22-123.1
glibc-info: before 2.22-123.1
glibc-i18ndata: before 2.22-123.1
glibc-html: before 2.22-123.1