SUSE update for glibc



Published: 2024-03-05
Risk Medium
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2019-25013
CVE-2020-27618
CVE-2020-29562
CVE-2020-29573
CVE-2021-3326
CWE-ID CWE-125
CWE-835
CWE-617
CWE-787
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 11
Operating systems & Components / Operating system

glibc-devel-32bit
Operating systems & Components / Operating system package or component

glibc-locale-32bit
Operating systems & Components / Operating system package or component

glibc-32bit
Operating systems & Components / Operating system package or component

glibc-debuginfo
Operating systems & Components / Operating system package or component

glibc-profile-32bit
Operating systems & Components / Operating system package or component

glibc-debugsource
Operating systems & Components / Operating system package or component

glibc-debuginfo-32bit
Operating systems & Components / Operating system package or component

glibc-devel
Operating systems & Components / Operating system package or component

nscd
Operating systems & Components / Operating system package or component

glibc
Operating systems & Components / Operating system package or component

glibc-profile
Operating systems & Components / Operating system package or component

glibc-i18ndata
Operating systems & Components / Operating system package or component

glibc-html
Operating systems & Components / Operating system package or component

glibc-locale
Operating systems & Components / Operating system package or component

glibc-info
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Out-of-bounds read

EUVDB-ID: #VU50329

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-25013

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in GNU C Library within the iconv feature when processing multi-byte input sequences in the EUC-KR encoding. A remote attacker can pass specially crafted input to the application, trigger out-of-bounds read error and perform a denial of service (DoS) attack.

Mitigation

Update the affected package glibc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4

SUSE Linux Enterprise Server 11: SP4

glibc-devel-32bit: before 2.11.3-17.110.43.1

glibc-locale-32bit: before 2.11.3-17.110.43.1

glibc-32bit: before 2.11.3-17.110.43.1

glibc-debuginfo: before 2.11.3-17.110.43.1

glibc-profile-32bit: before 2.11.3-17.110.43.1

glibc-debugsource: before 2.11.3-17.110.43.1

glibc-debuginfo-32bit: before 2.11.3-17.110.43.1

glibc-devel: before 2.11.3-17.110.43.1

nscd: before 2.11.3-17.110.43.1

glibc: before 2.11.3-17.110.43.1

glibc-profile: before 2.11.3-17.110.43.1

glibc-i18ndata: before 2.11.3-17.110.43.1

glibc-html: before 2.11.3-17.110.43.1

glibc-locale: before 2.11.3-17.110.43.1

glibc-info: before 2.11.3-17.110.43.1

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Infinite loop

EUVDB-ID: #VU50404

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-27618

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within iconv implementation when processing multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings. A remote attacker can pass specially crafted data to the application, consume all available system resources and cause denial of service conditions.

Mitigation

Update the affected package glibc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4

SUSE Linux Enterprise Server 11: SP4

glibc-devel-32bit: before 2.11.3-17.110.43.1

glibc-locale-32bit: before 2.11.3-17.110.43.1

glibc-32bit: before 2.11.3-17.110.43.1

glibc-debuginfo: before 2.11.3-17.110.43.1

glibc-profile-32bit: before 2.11.3-17.110.43.1

glibc-debugsource: before 2.11.3-17.110.43.1

glibc-debuginfo-32bit: before 2.11.3-17.110.43.1

glibc-devel: before 2.11.3-17.110.43.1

nscd: before 2.11.3-17.110.43.1

glibc: before 2.11.3-17.110.43.1

glibc-profile: before 2.11.3-17.110.43.1

glibc-i18ndata: before 2.11.3-17.110.43.1

glibc-html: before 2.11.3-17.110.43.1

glibc-locale: before 2.11.3-17.110.43.1

glibc-info: before 2.11.3-17.110.43.1

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Reachable Assertion

EUVDB-ID: #VU49670

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-29562

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when converting UCS4 text containing an irreversible character in the iconv function in the GNU C Library (aka glibc or libc6). A remote attacker can pass specially crafted data to the library, trigger an assertion failure and preform a denial of service attack.

Mitigation

Update the affected package glibc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4

SUSE Linux Enterprise Server 11: SP4

glibc-devel-32bit: before 2.11.3-17.110.43.1

glibc-locale-32bit: before 2.11.3-17.110.43.1

glibc-32bit: before 2.11.3-17.110.43.1

glibc-debuginfo: before 2.11.3-17.110.43.1

glibc-profile-32bit: before 2.11.3-17.110.43.1

glibc-debugsource: before 2.11.3-17.110.43.1

glibc-debuginfo-32bit: before 2.11.3-17.110.43.1

glibc-devel: before 2.11.3-17.110.43.1

nscd: before 2.11.3-17.110.43.1

glibc: before 2.11.3-17.110.43.1

glibc-profile: before 2.11.3-17.110.43.1

glibc-i18ndata: before 2.11.3-17.110.43.1

glibc-html: before 2.11.3-17.110.43.1

glibc-locale: before 2.11.3-17.110.43.1

glibc-info: before 2.11.3-17.110.43.1

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds write

EUVDB-ID: #VU50362

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-29573

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary within the sysdeps/i386/ldbl2mpn.c in the GNU C Library on x86  systems. A remote attacker can pass specially crafted data to the application that uses the vulnerable version of glibc and crash it.

Mitigation

Update the affected package glibc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4

SUSE Linux Enterprise Server 11: SP4

glibc-devel-32bit: before 2.11.3-17.110.43.1

glibc-locale-32bit: before 2.11.3-17.110.43.1

glibc-32bit: before 2.11.3-17.110.43.1

glibc-debuginfo: before 2.11.3-17.110.43.1

glibc-profile-32bit: before 2.11.3-17.110.43.1

glibc-debugsource: before 2.11.3-17.110.43.1

glibc-debuginfo-32bit: before 2.11.3-17.110.43.1

glibc-devel: before 2.11.3-17.110.43.1

nscd: before 2.11.3-17.110.43.1

glibc: before 2.11.3-17.110.43.1

glibc-profile: before 2.11.3-17.110.43.1

glibc-i18ndata: before 2.11.3-17.110.43.1

glibc-html: before 2.11.3-17.110.43.1

glibc-locale: before 2.11.3-17.110.43.1

glibc-info: before 2.11.3-17.110.43.1

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Reachable Assertion

EUVDB-ID: #VU50075

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3326

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion within the iconv function in the GNU C Library (aka glibc or libc6) when processing invalid input sequences in the ISO-2022-JP-3 encoding. A remote attacker can pass specially crafted data to the application, trigger an assertion failure and crash the affected application.

Mitigation

Update the affected package glibc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4

SUSE Linux Enterprise Server 11: SP4

glibc-devel-32bit: before 2.11.3-17.110.43.1

glibc-locale-32bit: before 2.11.3-17.110.43.1

glibc-32bit: before 2.11.3-17.110.43.1

glibc-debuginfo: before 2.11.3-17.110.43.1

glibc-profile-32bit: before 2.11.3-17.110.43.1

glibc-debugsource: before 2.11.3-17.110.43.1

glibc-debuginfo-32bit: before 2.11.3-17.110.43.1

glibc-devel: before 2.11.3-17.110.43.1

nscd: before 2.11.3-17.110.43.1

glibc: before 2.11.3-17.110.43.1

glibc-profile: before 2.11.3-17.110.43.1

glibc-i18ndata: before 2.11.3-17.110.43.1

glibc-html: before 2.11.3-17.110.43.1

glibc-locale: before 2.11.3-17.110.43.1

glibc-info: before 2.11.3-17.110.43.1

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###