Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: glibc security, bug fix, and enhancement update

Related Vulnerabilities: CVE-2017-16997   CVE-2018-6485   CVE-2018-11236   CVE-2018-11237   CVE-2017-16997   CVE-2018-6485   CVE-2018-11236   CVE-2018-11237   CVE-2017-16997   CVE-2018-6485   CVE-2018-11236   CVE-2018-11237  

Source

Synopsis

Moderate: glibc security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for glibc is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

Security Fix(es):

  • glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries (CVE-2017-16997)
  • glibc: Integer overflow in posix_memalign in memalign functions (CVE-2018-6485)
  • glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow (CVE-2018-11236)
  • glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper (CVE-2018-11237)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the glibc library must be restarted, or the system rebooted.

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le
  • Red Hat Virtualization Host 4 x86_64
  • Red Hat Enterprise Linux for ARM 64 7 aarch64
  • Red Hat Enterprise Linux for Power 9 7 ppc64le
  • Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

  • BZ - 1349967 - Fix warning: "IN_MODULE" redefined [enabled by default]
  • BZ - 1349982 - Fix static analysis warnings in build-locale-archive.c.
  • BZ - 1372304 - glibc: backport build/testing time improvements
  • BZ - 1401665 - Fix process shared robust mutex defects.
  • BZ - 1408964 - RFE: Add Provides: nss_db to the glibc rpm
  • BZ - 1448107 - glibc: Add el_GR@euro, ur_IN, and wal_ET locales
  • BZ - 1461231 - [RFE] Support OFD locking constants, but disable them for 32-bit offsets (not following upstream) (glibc)
  • BZ - 1471405 - glibc: Define O_TMPFILE macro
  • BZ - 1476120 - glibc headers don't include linux/falloc.h, and therefore doesn't include fallocate() flags
  • BZ - 1505451 - pthread_barrier_init typo has in-theory-undefined behavior
  • BZ - 1505477 - strftime_l: Fix multiline macro DO_NUMBER (GCC 8 warnings, and coverity warnings)
  • BZ - 1505492 - glibc: Build with -Werror and -Wundef
  • BZ - 1505500 - locale: Transliteration function may return address of local variable.
  • BZ - 1505647 - NSCD not properly caching netgroup
  • BZ - 1526865 - CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries
  • BZ - 1531168 - glibc: setcontext/makecontext alignment issues on x86
  • BZ - 1542102 - CVE-2018-6485 glibc: Integer overflow in posix_memalign in memalign functions
  • BZ - 1560641 - sem_open - valgrind complains about uninitialised bytes
  • BZ - 1563046 - getlogin_r: return early when linux sentinel value is set
  • BZ - 1563747 - glibc: Adjust system call name list to Linux 4.16+
  • BZ - 1564638 - glibc: Fix compile-time type error in string/test-strncmp.c and other string tests
  • BZ - 1566623 - glibc: Old-style function definitions without prototype in libio/strops.c
  • BZ - 1579727 - glibc: Crash in __res_context_send after memory allocation failure
  • BZ - 1581269 - CVE-2018-11236 glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow
  • BZ - 1581274 - CVE-2018-11237 glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started