Test ID:	1.3.6.1.4.1.25623.1.1.1.2.2014.97
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-97-1)
Summary:	The remote host is missing an update for the Debian 'eglibc' package(s) announced via the DLA-97-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'eglibc' package(s) announced via the DLA-97-1 advisory. Vulnerability Insight: CVE-2012-6656 Fix validation check when converting from ibm930 to utf. When converting IBM930 code with iconv(), if IBM930 code which includes invalid multibyte character 0xffff is specified, then iconv() segfaults. CVE-2014-6040 Crashes on invalid input in IBM gconv modules [BZ #17325] These changes are based on the fix for BZ #14134 in commit 6e230d11837f3ae7b375ea69d7905f0d18eb79e5. CVE-2014-7817 The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of '$((... ``))' where '...' can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD in exec_comm(), the only place that can execute a shell. All other checks for WRDE_NOCMD are superfluous and removed. For Debian 6 Squeeze, these issues have been fixed in eglibc version 2.11.3-4+deb6u2 Affected Software/OS: 'eglibc' package(s) on Debian 6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-6656 BugTraq ID: 69472 http://www.securityfocus.com/bid/69472 Debian Security Information: DSA-3142 (Google Search) http://www.debian.org/security/2015/dsa-3142 https://security.gentoo.org/glsa/201503-04 http://www.mandriva.com/security/advisories?name=MDVSA-2014:175 http://www.openwall.com/lists/oss-security/2014/08/29/3 http://www.openwall.com/lists/oss-security/2014/09/02/1 http://www.ubuntu.com/usn/USN-2432-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-6040 62100 http://secunia.com/advisories/62100 62146 http://secunia.com/advisories/62146 69472 DSA-3142 GLSA-201602-02 https://security.gentoo.org/glsa/201602-02 MDVSA-2014:175 USN-2432-1 http://ubuntu.com/usn/usn-2432-1 [oss-security] 20140829 CVE request: glibc character set conversion from IBM code pages [oss-security] 20140902 Re: CVE request: glibc character set conversion from IBM code pages http://linux.oracle.com/errata/ELSA-2015-0016.html https://sourceware.org/bugzilla/show_bug.cgi?id=17325 https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=41488498b6 Common Vulnerability Exposure (CVE) ID: CVE-2014-7817 71216 http://www.securityfocus.com/bid/71216 RHSA-2014:2023 http://rhn.redhat.com/errata/RHSA-2014-2023.html [libc-alpha] 20141119 [COMMITTED] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD. https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html [oss-security] 20141120 CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified http://seclists.org/oss-sec/2014/q4/730 gnu-glibc-cve20147817-command-exec(98852) https://exchange.xforce.ibmcloud.com/vulnerabilities/98852 http://linux.oracle.com/errata/ELSA-2015-0092.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html https://sourceware.org/bugzilla/show_bug.cgi?id=17625 https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c openSUSE-SU-2015:0351 http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.