| Description: | Description:
The remote host is missing updates announced in
advisory CLA-2002:535.
The GNU C Library (glibc) is the standard library used by almost any
program in a common GNU/Linux system.
This announcement addresses four security vulnerabilities in glibc
and also fixes the Brazilian timezone regarding the daylight saving
time.
Vulnerabilities:
1. XDR integer overflow [2][3]
There is an integer overflow in the xdr_array() function derived from
Sun's XDR library. This overflow can lead to memory being allocated
with the wrong size, which will most likely cause buffer overflows
later on depending on how applications use the allocated memory. The
krb5 package also contains the vulnerable code and was already fixed
in a previous announcement[10].
2. Resolver read buffer overflow[4][5]
There is a vulnerability in the way the resolver res_* script_family( of
functions contained in glibc and other BIND derived code are commonly
used. These functions place their answer in a caller-supplied buffer.
If this buffer is too small, the answer is truncated and the caller
can check what the actual size should be by reading the return value
of the function. Some callers, though, incorrectly take this value as
the size of the buffer and may then read beyond its end, eventually
causing a segmentation fault or some other kind of error.
Thanks to Olaf Kirch for sharing a patch to fix this problem.
3. calloc(3) integer overflow[6]
calloc(3) is vulnerable to an integer overflow when multiplying the
number of elements by the size of each element. This operation was
not being verified and could result in less memory than needed to be
allocated. Subsequent uses of this buffer would most likely result in
buffer overflows.
4. Possible information leak[7]
Dmitry V. Levin spotted a possible information leak with undersized
DNS responses, for which Solar Designer created a patch.
Daylight saving time (summer time) update
On Octover 1st, 2002 the dates when daylight saving time will begin
and end have finally been published[8] (a little more than 30 days of
advance notice). These dates have been inserted in glibc's zoneinfo
data.
Historicaly the dates on which the daylight saving time starts and
ends have always been choosen from year to year and are seldom the
same. The National Observatory is conducting a poll[9] about this and
we ask our users to take that poll and also manifest their opinion
about the randomness with which these dates seem to be choosen. With
luck, this kind of update will no longer be necessary in the future.
Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000515&idioma=en
http://www.securityspace.com/smysecure/catid.html?in=CLA-2002:535
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002002
Risk factor : Critical
CVSS Score:
10.0
|
