CVE-2015-5277: Buffer Overflow
First published: Mon Sep 14 2015(Updated: )
It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents), potentially resulting in arbitrary code execution.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| GNU C Library (glibc) | <=2.19 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://sourceware.org/bugzilla/show_bug.cgi?id=17079
- https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ac60763eac3d43b7234dd21286ad3ec3f17957fc
- https://rhn.redhat.com/errata/RHSA-2015-2172.html
- https://rhn.redhat.com/errata/RHSA-2015-2589.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1262914
- http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html
- http://rhn.redhat.com/errata/RHSA-2015-2172.html
- http://seclists.org/fulldisclosure/2019/Sep/7
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/78092
- http://www.securitytracker.com/id/1034196
- http://www.ubuntu.com/usn/USN-2985-1
- http://www.ubuntu.com/usn/USN-2985-2
- https://seclists.org/bugtraq/2019/Sep/7
- https://security.gentoo.org/glsa/201702-11
- https://sourceware.org/ml/libc-alpha/2014-09/msg00088.html
Frequently Asked Questions
What is the severity of CVE-2015-5277?
CVE-2015-5277 has a critical severity level due to its potential to cause arbitrary code execution.
How do I fix CVE-2015-5277?
To fix CVE-2015-5277, you should update the affected glibc packages to the latest version available for your operating system.
Which systems are affected by CVE-2015-5277?
CVE-2015-5277 affects Red Hat Enterprise Linux 7.0, Ubuntu Linux versions 12.04, 14.04, and 15.10, and GNU C Library up to 2.19.
What type of vulnerability is CVE-2015-5277?
CVE-2015-5277 is a memory corruption vulnerability in the nss_files backend of glibc that can lead to arbitrary code execution.
Is there a workaround for CVE-2015-5277?
While there is no official workaround for CVE-2015-5277, applying security patches and limiting access to vulnerable applications can reduce risk.
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/type
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-5277
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0
- vendor/gnu
- canonical/gnu c library (glibc)
- version/gnu c library (glibc)/2.19
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.10