Do we get a fix for glibc security issues?
asked 2016-02-17 14:14:15 +0200
CVE-2014-9761 (
=MER#1633 )
CVE-2015-5180
CVE-2018-1000001 (
=MER#1869 ) [Priority: High]
CVE-2017-8804 CVE-2017-12132 CVE-2018-6485 CVE-2018-11236
[Priority: medium]
CVE-2017-12133
As hackers are working on real exploits this is very urgent. SFOS seems¹ to use ASLR (which prevents the most simple exploits), but what occurrence does it use: the weak form of kernel 2.6.12 or Position-independent executable (PIE) which is stronger but weak in low memory conditions :-( ? ASLR is not perfect: Here is an interesting article about ASLR on ARMv7 devices [Stagefright is not fixed btw and could harm a JollaPhone].
Possible workarounds without patching are not suitable!
• (CVE-2015-7547 fix released in Taalojärvi)
• (CVE-2015-8777 fix released in Haapajoki)
• (CVE-2015-8776: fix released in Haapajoki)
• (CVE-2015-8778: fix released in Haapajoki)
• CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (Accessvector:NETWORK/REMOTE CVSS v3 Base Score:9.8/10 critical)
• (CVE-2015-8779: fix released in Haapajoki)
• (CVE-2015-1781: fix released in Haapajoki)
• (CVE-2014-8121: fix released in Haapajoki)
• (CVE-2016-1234 Fix released in Jämsänjoki)
• (CVE-2016-4429 Fix released in Jämsänjoki)
additionally:
• (CVE-2015-5277: fix released in Haapajoki)
• (CVE-2016-3075 fix released in Haapajoki)
• (CVE-2016-2856: fix released in Haapajoki)
• CVE-2018-1000001: libc does not account for all the possible return values from the
kernel getcwd(2) syscall; arbitrary code execution may result from
applications making further assumptions on the return value from the
getcwd(3) libary function. Priority: High
• CVE-2017-15670: The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. (Accessvector:NETWORK/REMOTE CVSS v3 Base Score:9.8/10 critical)
• CVE-2017-15671: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).
• CVE-2017-8804: Fix memory leak after deserialization failure in xdrbytes, xdrstring (bsc#1037930)
• CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791)
• CVE-2018-6485: Fix integer overflows in internal memalign and malloc functions (bsc#1079036)
• CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556) (Accessvector: network/remote)
¹cat /proc/sys/kernel/randomize_va_space returns 2 and repeated ldd <some-executable> is returning different addresses of linked libraries.
Thank you, great post. Just wanted to open it ;) .... second :-D
megalith ( 2016-02-17 15:56:14 +0200 )edit+1 and more characters
jollailija ( 2016-02-17 17:35:41 +0200 )editits glibc, they will have to rebuild/test the world. I would expect that they will push back the Taalojarvi release for it though.
r0kk3rz ( 2016-02-17 17:51:00 +0200 )edit@r0kk3rz no, they haven't to rebuild a lot. It affects glibc alone with its system functions, notably getaddrinfo() and strftime() used by almost all other applications
lpr ( 2016-02-17 18:36:15 +0200 )editWhy is Jolla not able to patch on day zero?
lpr ( 2016-02-18 19:03:01 +0200 )edit