Mandrake alert: Updated glibc packagess fix vulnerabilities

Posted by dave on Nov 18, 2003 7:59 PM EDT
Mailing list
Mail this story
Print this story

A bug was discovered in the getgrouplist function in glibc that can cause a buffer overflow if the size of the group list is too small to hold all the user's groups. This overflow can cause segementation faults in various user applications, some of which may lead to additional security problems. The problem can only be triggered if the user is in a larger number of groups than expected by an application.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandrake Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           glibc
 Advisory ID:            MDKSA-2003:107
 Date:                   November 18th, 2003

 Affected versions:	 9.0, 9.1, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 A bug was discovered in the getgrouplist function in glibc that can
 cause a buffer overflow if the size of the group list is too small to
 hold all the user's groups.  This overflow can cause segementation
 faults in various user applications, some of which may lead to
 additional security problems.  The problem can only be triggered if the
 user is in a larger number of groups than expected by an application.
 
 The provided packages are patched to address this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0689
 ______________________________________________________________________

 Updated Packages:
  
 Corporate Server 2.1:
 a75afbeab6bb0af8312606a5206b649f  corporate/2.1/RPMS/glibc-2.2.5-16.3.C21mdk.i586.rpm
 0728825f51c3bbdd93c8f2573927c035  corporate/2.1/RPMS/glibc-devel-2.2.5-16.3.C21mdk.i586.rpm
 cb76d0a10f88a3194023065888e16a9e  corporate/2.1/RPMS/glibc-i18ndata-2.2.5-16.3.C21mdk.i586.rpm
 904f109cf66575c2eaa8e15a6f1ddee1  corporate/2.1/RPMS/glibc-profile-2.2.5-16.3.C21mdk.i586.rpm
 007307c4d8a271f72a97fc97f7303ff5  corporate/2.1/RPMS/glibc-static-devel-2.2.5-16.3.C21mdk.i586.rpm
 4c8a57e8fdc3acefb8daa6eeda23ba70  corporate/2.1/RPMS/glibc-utils-2.2.5-16.3.C21mdk.i586.rpm
 76efd47f25ba60c9bbc567668a38e4ff  corporate/2.1/RPMS/ldconfig-2.2.5-16.3.C21mdk.i586.rpm
 efd517e924eb066acd0856bb476f87af  corporate/2.1/RPMS/nscd-2.2.5-16.3.C21mdk.i586.rpm
 7c062ed74887835eba2f1a50a265b8c9  corporate/2.1/RPMS/timezone-2.2.5-16.3.C21mdk.i586.rpm
 61f2d1b5fe0bc03cb0af9ef086c667bb  corporate/2.1/SRPMS/glibc-2.2.5-16.3.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 5aae39182bab1d726180953a7cd8d792  x86_64/corporate/2.1/RPMS/glibc-2.2.5-28.1.C21mdk.x86_64.rpm
 d3486ac35ba3d078e737be31113475f0  x86_64/corporate/2.1/RPMS/glibc-debug-2.2.5-28.1.C21mdk.x86_64.rpm
 939043df28c991d7b37b33fef3d0feb2  x86_64/corporate/2.1/RPMS/glibc-devel-2.2.5-28.1.C21mdk.x86_64.rpm
 c1b184cb452e4d60f268a4fc5f48e174  x86_64/corporate/2.1/RPMS/glibc-i18ndata-2.2.5-28.1.C21mdk.x86_64.rpm
 f2777101e2778fe7de39673220d7a069  x86_64/corporate/2.1/RPMS/glibc-profile-2.2.5-28.1.C21mdk.x86_64.rpm
 b2d191df43537f5f8e2e100b1de072ed  x86_64/corporate/2.1/RPMS/glibc-static-devel-2.2.5-28.1.C21mdk.x86_64.rpm
 083d9e44ce870e0d0ba2cea4c67963ec  x86_64/corporate/2.1/RPMS/glibc-utils-2.2.5-28.1.C21mdk.x86_64.rpm
 0e6f3655b336442eb80847d1e2be858a  x86_64/corporate/2.1/RPMS/ldconfig-2.2.5-28.1.C21mdk.x86_64.rpm
 059c6093ad5916e48a8786211a7ece0a  x86_64/corporate/2.1/RPMS/nscd-2.2.5-28.1.C21mdk.x86_64.rpm
 e0a23600cbd0ceb7a44fd4e275b4f454  x86_64/corporate/2.1/RPMS/timezone-2.2.5-28.1.C21mdk.x86_64.rpm
 c4de027516cfb1c943656f3876c89c44  x86_64/corporate/2.1/SRPMS/glibc-2.2.5-28.1.C21mdk.src.rpm

 Mandrake Linux 9.0:
 e64b4f099e7cd715c5ff1fc895101821  9.0/RPMS/glibc-2.2.5-16.3.90mdk.i586.rpm
 48a4f54fc49c39306a002633ae4495af  9.0/RPMS/glibc-devel-2.2.5-16.3.90mdk.i586.rpm
 9db7115962de7c0680ce0de12ea1955c  9.0/RPMS/glibc-i18ndata-2.2.5-16.3.90mdk.i586.rpm
 c5fed843eb910c860e3af39e6583e3bb  9.0/RPMS/glibc-profile-2.2.5-16.3.90mdk.i586.rpm
 2608fa069dfd563541f018742310d7b0  9.0/RPMS/glibc-static-devel-2.2.5-16.3.90mdk.i586.rpm
 101574c95eeb7e8849f9ef0010afdec4  9.0/RPMS/glibc-utils-2.2.5-16.3.90mdk.i586.rpm
 9c809b34abce979ef8cc2dea06a4b025  9.0/RPMS/ldconfig-2.2.5-16.3.90mdk.i586.rpm
 2b04e51c90b79235ccfe673b123fbb9c  9.0/RPMS/nscd-2.2.5-16.3.90mdk.i586.rpm
 386ac1d7f745c8deb1d3346cf86f7b51  9.0/RPMS/timezone-2.2.5-16.3.90mdk.i586.rpm
 434a57fb27d0d12337bc579eaf89d1db  9.0/SRPMS/glibc-2.2.5-16.3.90mdk.src.rpm

 Mandrake Linux 9.1:
 14b04c0c5abfcdeeb7ddcd99dff6f59c  9.1/RPMS/glibc-2.3.1-10.1.91mdk.i586.rpm
 db0399ed5e4e5932ccd68eb1d971e918  9.1/RPMS/glibc-debug-2.3.1-10.1.91mdk.i586.rpm
 55e698783b2f00d56e74a6a0295ddc65  9.1/RPMS/glibc-devel-2.3.1-10.1.91mdk.i586.rpm
 8d794fa39d989aff297eecddf8f3a89a  9.1/RPMS/glibc-i18ndata-2.3.1-10.1.91mdk.i586.rpm
 28000c25d34f6b6136092840825009a8  9.1/RPMS/glibc-profile-2.3.1-10.1.91mdk.i586.rpm
 2fd232922ed61aba14ca2da29948bfa5  9.1/RPMS/glibc-static-devel-2.3.1-10.1.91mdk.i586.rpm
 93c16beb43e79147b89d89dc080dcc3c  9.1/RPMS/glibc-utils-2.3.1-10.1.91mdk.i586.rpm
 dde039c956d163bfd0d58729765acc0d  9.1/RPMS/ldconfig-2.3.1-10.1.91mdk.i586.rpm
 c4a00854f69004fdc8875ceae2a23cab  9.1/RPMS/nscd-2.3.1-10.1.91mdk.i586.rpm
 e8f5a1eddced3c8e63d2a00236468a0a  9.1/RPMS/timezone-2.3.1-10.1.91mdk.i586.rpm
 6c7aa1aae0bc39f4211a3d0d1b9b79fa  9.1/SRPMS/glibc-2.3.1-10.1.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 bdacbfff4264a72f3106bd323597d668  ppc/9.1/RPMS/glibc-2.3.1-10.1.91mdk.ppc.rpm
 1b3c15be2106be26ed3532a372f68e27  ppc/9.1/RPMS/glibc-debug-2.3.1-10.1.91mdk.ppc.rpm
 5e08d596df7113323ae399c04328c091  ppc/9.1/RPMS/glibc-devel-2.3.1-10.1.91mdk.ppc.rpm
 4a763d9d65729ae8523b3991561d8cdb  ppc/9.1/RPMS/glibc-i18ndata-2.3.1-10.1.91mdk.ppc.rpm
 5b856ef8b4e1fcba7b6ea4a04c158e87  ppc/9.1/RPMS/glibc-profile-2.3.1-10.1.91mdk.ppc.rpm
 0f51825ee3c18bcb2feb3a8dd2739f46  ppc/9.1/RPMS/glibc-static-devel-2.3.1-10.1.91mdk.ppc.rpm
 111efa86d73c156110a31eaa6bbe9f02  ppc/9.1/RPMS/glibc-utils-2.3.1-10.1.91mdk.ppc.rpm
 0cfa1714f9ef4e1c62498d08ee5b3042  ppc/9.1/RPMS/ldconfig-2.3.1-10.1.91mdk.ppc.rpm
 c961c16bc6eef858083f6e42d5f875c1  ppc/9.1/RPMS/nscd-2.3.1-10.1.91mdk.ppc.rpm
 ea602b9406296fc2f198167924ab35cf  ppc/9.1/RPMS/timezone-2.3.1-10.1.91mdk.ppc.rpm
 6c7aa1aae0bc39f4211a3d0d1b9b79fa  ppc/9.1/SRPMS/glibc-2.3.1-10.1.91mdk.src.rpm

 Multi Network Firewall 8.2:
 058bc1cc39d9af370e6334de4d5ca892  mnf8.2/RPMS/glibc-2.2.4-26.3.M82mdk.i586.rpm
 b8feb768e9825ed998b46b90094543fd  mnf8.2/RPMS/ldconfig-2.2.4-26.3.M82mdk.i586.rpm
 be3a063c275d0240395b433aef3a7ea4  mnf8.2/SRPMS/glibc-2.2.4-26.3.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

 All packages are signed by MandrakeSoft for security.  You can obtain
 the GPG public key of the Mandrake Linux Security Team by executing:

  gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98

 Please be aware that sometimes it takes the mirrors a few hours to
 update.

 You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

 MandrakeSoft has several security-related mailing list services that
 anyone can subscribe to.  Information on these lists can be obtained by
 visiting:

  http://www.mandrakesecure.net/en/mlist.php

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/uvgImqjQ0CJFipgRAtiGAJwPfnSelVLECYrDYKCOjtZIfORzvgCfctxx
0h5uimjEFIZdZd01HpsMjYk=
=aMES
-----END PGP SIGNATURE-----

  Nav
» Read more about: Story Type: Security; Groups: Mandriva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.