Monday, December 17, 2012

[USN-1589-2] GNU C Library regression

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJQzyluAAoJEGVp2FWnRL6TrXMQAK6RW3mqaQcS3K96t4E/MJYy
bAFeyFZSXSzlf1dvyk1J/PObXhRlfNcQYuA7uEOOYGs9I+DWIj4d4shLsGWGMOYJ
/4mAs4Q1gO+zg5ICDskqeSCIoFFO26gk0xU49DHF1fiOZIA42iE2aeuxBEStITnR
JHCTzwfoTSWXC1fcNRYd7PWySeznIEv4i+2Wvlkq3NHji7NFVJFK2NtZ1/3u6bHT
D1CTZ3wGvTM/1S7RnQ/unhWZJxtLOnhsMe0n6Yj/JK7hcuSe7EEvdzNLvlpX2gWa
OkQDypqlXysBC20XgkiE2Watye8+nYH0Hl0812s3zUlU5QkuK97f947YnzlMoJZ1
jOjxLRHsaQnqv+I9H2Ly23iIYQVrZ1UzdD4HuhAQ7fSmhq7bUOQFGEcQo0yMRGdY
Zd31xP6T2iGVtu+6QoMRo+CW4/GQ+PMGe53s7fSGcHPDpaAOgO3iPQDapxiXqPPh
B9I32MG/C/THwWKiSHy65PC/ggSXwQxcJLL4bBEanVXXm3KoaBLIxsub0yO7IxAa
MM/C76lBkp4sLQUR2keNucgfkFxrxRMWK5fITCCw5aP/+vQ0pbh7Cebpes7UlwzK
aW+/h7HostUwDkPNAE/wXq5w2obzSFf9YgIYbhxCkUwOsL2SlekE7quOhwRzlhL1
zsdViBhikdi9/UEIUe5E
=Thi3
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1589-2
December 17, 2012

glibc regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 8.04 LTS

Summary:

USN-1589-1 exposed a regression in the GNU C Library floating point parser.

Software Description:
- glibc: GNU C Library

Details:

USN-1589-1 fixed vulnerabilities in the GNU C Library. One of the updates
exposed a regression in the floating point parser. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that positional arguments to the printf() family
of functions were not handled properly in the GNU C Library. An
attacker could possibly use this to cause a stack-based buffer
overflow, creating a denial of service or possibly execute arbitrary
code. (CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)
It was discovered that multiple integer overflows existed in the
strtod(), strtof() and strtold() functions in the GNU C Library. An
attacker could possibly use this to trigger a stack-based buffer
overflow, creating a denial of service or possibly execute arbitrary
code. (CVE-2012-3480)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 8.04 LTS:
libc6 2.7-10ubuntu8.3

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1589-2
http://www.ubuntu.com/usn/usn-1589-1
CVE-2012-3480

Package Information:
https://launchpad.net/ubuntu/+source/glibc/2.7-10ubuntu8.3

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)