Executive Summary
Summary | |
---|---|
Title | glibc security and bug fix update |
Informations | |||
---|---|---|---|
Name | RHSA-2012:1097 | First vendor Publication | 2012-07-18 |
Vendor | RedHat | Last vendor Modification | 2012-07-18 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated glibc packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function properly. It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. (CVE-2012-3406) This update also fixes the following bug: * If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character "0xffff", attempting to use iconv() (or the iconv command) to convert that file or string to another encoding, such as UTF-8, resulted in a segmentation fault. With this update, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler, rather than causing a segmentation fault. (BZ#837896) All users of glibc are advised to upgrade to these updated packages, which contain backported patches to fix these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 826943 - CVE-2012-3406 glibc: printf() unbound alloca() usage in case of positional parameters + many format specs |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2012-1097.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21252 | |||
Oval ID: | oval:org.mitre.oval:def:21252 | ||
Title: | RHSA-2012:1098: glibc security and bug fix update (Moderate) | ||
Description: | The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1098-01 CESA-2012:1098 CVE-2012-3404 CVE-2012-3405 CVE-2012-3406 | Version: | 28 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21515 | |||
Oval ID: | oval:org.mitre.oval:def:21515 | ||
Title: | RHSA-2012:1097: glibc security and bug fix update (Moderate) | ||
Description: | The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1097-00 CESA-2012:1097 CVE-2012-3406 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22825 | |||
Oval ID: | oval:org.mitre.oval:def:22825 | ||
Title: | ELSA-2012:1097: glibc security and bug fix update (Moderate) | ||
Description: | The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1097-00 CVE-2012-3406 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23014 | |||
Oval ID: | oval:org.mitre.oval:def:23014 | ||
Title: | ELSA-2012:1098: glibc security and bug fix update (Moderate) | ||
Description: | The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1098-01 CVE-2012-3404 CVE-2012-3405 CVE-2012-3406 | Version: | 17 |
Platform(s): | Oracle Linux 6 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27827 | |||
Oval ID: | oval:org.mitre.oval:def:27827 | ||
Title: | DEPRECATED: ELSA-2012-1098 -- glibc security and bug fix update (moderate) | ||
Description: | [2.12-1.80.el6_3.3] - Fix incorrect/corrupt patchfile for 833716. Did not affect generated code, but tests were missing (#833716). [2.12-1.80.el6_3.2] - Fix regression after patch for BZ804630 (#837026). [2.12-1.80.el6_3.1] - Fixes an unbound alloca and related problems. (#833716) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1098 CVE-2012-3404 CVE-2012-3405 CVE-2012-3406 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27845 | |||
Oval ID: | oval:org.mitre.oval:def:27845 | ||
Title: | DEPRECATED: ELSA-2012-1097 -- glibc security and bug fix update (moderate) | ||
Description: | [2.5-81.el5_8.4] - Fix iconv() segfault if the invalid multibyte character 0xffff is input when converting from IBM930 (#837896) [2.5-81.el5_8.3] - Fix unbound alloca in vfprintf (#833720) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1097 CVE-2012-3406 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | glibc |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 | |
Application | 1 | |
Os | 5 | |
Os | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2012-12-27 | Name : VMSA-2012-0018: VMware security updates for vCSA and ESXi File : nvt/gb_VMSA-2012-0018.nasl |
2012-12-18 | Name : Ubuntu Update for glibc USN-1589-2 File : nvt/gb_ubuntu_USN_1589_2.nasl |
2012-10-03 | Name : Ubuntu Update for eglibc USN-1589-1 File : nvt/gb_ubuntu_USN_1589_1.nasl |
2012-08-30 | Name : Fedora Update for glibc FEDORA-2012-11508 File : nvt/gb_fedora_2012_11508_glibc_fc17.nasl |
2012-07-30 | Name : CentOS Update for glibc CESA-2012:1097 centos5 File : nvt/gb_CESA-2012_1097_glibc_centos5.nasl |
2012-07-30 | Name : CentOS Update for glibc CESA-2012:1098 centos6 File : nvt/gb_CESA-2012_1098_glibc_centos6.nasl |
2012-07-19 | Name : RedHat Update for glibc RHSA-2012:1097-01 File : nvt/gb_RHSA-2012_1097-01_glibc.nasl |
2012-07-19 | Name : RedHat Update for glibc RHSA-2012:1098-01 File : nvt/gb_RHSA-2012_1098-01_glibc.nasl |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-02-12 | IAVM : 2015-A-0038 - Multiple Vulnerabilities in GNU C Library (glibc) Severity : Category I - VMSKEY : V0058753 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-1251-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2012-1488-1.nasl - Type : ACT_GATHER_INFO |
2015-04-06 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL16364.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-168.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-165.nasl - Type : ACT_GATHER_INFO |
2015-03-09 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201503-04.nasl - Type : ACT_GATHER_INFO |
2015-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3169.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2012-1200.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1185.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote VMware ESXi 5.0 host is affected by multiple vulnerabilities. File : vmware_esxi_5_0_build_912577_remote.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote VMware ESXi 5.1 host is affected by multiple security vulnerabilit... File : vmware_esxi_5_1_build_1063671_remote.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-109.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1098.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1097.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-121129.nasl - Type : ACT_GATHER_INFO |
2012-12-24 | Name : The remote VMware ESXi host is missing one or more security-related patches. File : vmware_VMSA-2012-0018.nasl - Type : ACT_GATHER_INFO |
2012-12-18 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1589-2.nasl - Type : ACT_GATHER_INFO |
2012-11-19 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_glibc-8351.nasl - Type : ACT_GATHER_INFO |
2012-10-02 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1589-1.nasl - Type : ACT_GATHER_INFO |
2012-08-16 | Name : The remote Fedora host is missing a security update. File : fedora_2012-11508.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120718_glibc_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120718_glibc_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-07-20 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1098.nasl - Type : ACT_GATHER_INFO |
2012-07-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1098.nasl - Type : ACT_GATHER_INFO |
2012-07-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1097.nasl - Type : ACT_GATHER_INFO |
2012-07-19 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1097.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:56:10 |
|
2014-02-11 13:24:50 |
|
2014-02-10 21:28:14 |
|