- Vulnerability/
- RHSA-2010:0872
RHSA-2010:0872: Important: glibc security and bug fix update
First published: Wed Nov 10 2010(Updated: )
The glibc packages contain the standard C libraries used by multiple<br>programs on the system. These packages contain the standard C and the<br>standard math libraries. Without these two libraries, a Linux system<br>cannot function properly.<br>It was discovered that the glibc dynamic linker/loader did not handle the<br>$ORIGIN dynamic string token set in the LD_AUDIT environment variable<br>securely. A local attacker with write access to a file system containing<br>setuid or setgid binaries could use this flaw to escalate their privileges.<br>(CVE-2010-3847)<br>It was discovered that the glibc dynamic linker/loader did not perform<br>sufficient safety checks when loading dynamic shared objects (DSOs) to<br>provide callbacks for its auditing API during the execution of privileged<br>programs. A local attacker could use this flaw to escalate their privileges<br>via a carefully-chosen system DSO library containing unsafe constructors.<br>(CVE-2010-3856)<br>Red Hat would like to thank Tavis Ormandy for reporting the CVE-2010-3847<br>issue, and Ben Hawkes and Tavis Ormandy for reporting the CVE-2010-3856<br>issue.<br>This update also fixes the following bugs:<br><li> Previously, the generic implementation of the strstr() and memmem()</li> functions did not handle certain periodic patterns correctly and could find<br>a false positive match. This error has been fixed, and both functions now<br>work as expected. (BZ#643341)<br><li> The "TCB_ALIGNMENT" value has been increased to 32 bytes to prevent</li> applications from crashing during symbol resolution on 64-bit systems with<br>support for Intel AVX vector registers. (BZ#643343)<br>All users are advised to upgrade to these updated packages, which contain<br>backported patches to correct these issues.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/glibc | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-common | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-debuginfo | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-debuginfo | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-devel | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-devel | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-headers | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-static | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-utils | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/nscd | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-common | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-headers | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-static | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/glibc-utils | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
| redhat/nscd | <2.12-1.7.el6_0.3 | 2.12-1.7.el6_0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=643306
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=643341
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=643343
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=645672
- http://www.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2010:0872 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2010:0872
- agent/references
- agent/title
- agent/severity
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/remedy
- package-manager/redhat