USN-944-1: GNU C Library vulnerabilities
25 May 2010
glibc, eglibc vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
- Ubuntu 9.10
- Ubuntu 9.04
- Ubuntu 8.04 LTS
- Ubuntu 6.06 LTS
Summary
The GNU C library did not correctly handle certain mnt entries, strfmon arguments, and ELF program headers.
Software Description
- eglibc - Shared system libraries
- glibc - Shared system libraries
Details
Maksymilian Arciemowicz discovered that the GNU C library did not correctly handle integer overflows in the strfmon function. If a user or automated system were tricked into processing a specially crafted format string, a remote attacker could crash applications, leading to a denial of service. (Ubuntu 10.04 was not affected.) (CVE-2008-1391)
Jeff Layton and Dan Rosenberg discovered that the GNU C library did not correctly handle newlines in the mntent family of functions. If a local attacker were able to inject newlines into a mount entry through other vulnerable mount helpers, they could disrupt the system or possibly gain root privileges. (CVE-2010-0296)
Dan Rosenberg discovered that the GNU C library did not correctly validate certain ELF program headers. If a user or automated system were tricked into verifying a specially crafted ELF program, a remote attacker could execute arbitrary code with user privileges. (CVE-2010-0830)
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 10.04 LTS
- libc6 - 2.11.1-0ubuntu7.1
- Ubuntu 9.10
- libc6 - 2.10.1-0ubuntu17
- Ubuntu 9.04
- libc6 - 2.9-4ubuntu6.2
- Ubuntu 8.04 LTS
- libc6 - 2.7-10ubuntu6
- Ubuntu 6.06 LTS
- libc6 - 2.3.6-0ubuntu20.6
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart all services to make the necessary changes.