openSUSE Security Update : glibc (openSUSE-2019-539)

critical Nessus Plugin ID 123228

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for glibc fixes the following security issues :

- CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150).

- CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161).

- CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in
__mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected glibc packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1082318

https://bugzilla.opensuse.org/show_bug.cgi?id=1092877

https://bugzilla.opensuse.org/show_bug.cgi?id=1094150

https://bugzilla.opensuse.org/show_bug.cgi?id=1094154

https://bugzilla.opensuse.org/show_bug.cgi?id=1094161

Plugin Details

Severity: Critical

ID: 123228

File Name: openSUSE-2019-539.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/27/2019

Updated: 6/11/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-11236

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:glibc-devel-32bit, cpe:/o:novell:opensuse:15.0, p-cpe:/a:novell:opensuse:glibc-i18ndata, p-cpe:/a:novell:opensuse:glibc-locale-debuginfo, p-cpe:/a:novell:opensuse:glibc-profile-32bit, p-cpe:/a:novell:opensuse:glibc-extra-debuginfo, p-cpe:/a:novell:opensuse:glibc-extra, p-cpe:/a:novell:opensuse:glibc-locale-32bit-debuginfo, p-cpe:/a:novell:opensuse:glibc-profile, p-cpe:/a:novell:opensuse:glibc, p-cpe:/a:novell:opensuse:glibc-devel-32bit-debuginfo, p-cpe:/a:novell:opensuse:glibc-utils, p-cpe:/a:novell:opensuse:glibc-debugsource, p-cpe:/a:novell:opensuse:glibc-devel, p-cpe:/a:novell:opensuse:glibc-locale, p-cpe:/a:novell:opensuse:glibc-utils-32bit, p-cpe:/a:novell:opensuse:glibc-utils-32bit-debuginfo, p-cpe:/a:novell:opensuse:glibc-html, p-cpe:/a:novell:opensuse:glibc-utils-src-debugsource, p-cpe:/a:novell:opensuse:glibc-locale-32bit, p-cpe:/a:novell:opensuse:glibc-32bit-debuginfo, p-cpe:/a:novell:opensuse:glibc-32bit, p-cpe:/a:novell:opensuse:glibc-debuginfo, p-cpe:/a:novell:opensuse:glibc-utils-debuginfo, p-cpe:/a:novell:opensuse:glibc-devel-static-32bit, p-cpe:/a:novell:opensuse:nscd-debuginfo, p-cpe:/a:novell:opensuse:glibc-info, p-cpe:/a:novell:opensuse:glibc-devel-debuginfo, p-cpe:/a:novell:opensuse:nscd, p-cpe:/a:novell:opensuse:glibc-devel-static

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/23/2019

Vulnerability Publication Date: 5/18/2018

Reference Information

CVE: CVE-2017-18269, CVE-2018-11236, CVE-2018-11237