Skip to navigation

Security Advisory Moderate: glibc security update

Advisory: RHSA-2012:0126-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-02-13
Last updated on: 2012-02-13
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2009-5029
CVE-2009-5064
CVE-2010-0830
CVE-2011-1089
CVE-2011-4609

Details

Updated glibc packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The glibc packages contain the standard C libraries used by multiple
programs on the system. These packages contain the standard C and the
standard math libraries. Without these two libraries, a Linux system cannot
function properly.

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the glibc library read timezone files. If a
carefully-crafted timezone file was loaded by an application linked against
glibc, it could cause the application to crash or, potentially, execute
arbitrary code with the privileges of the user running the application.
(CVE-2009-5029)

A flaw was found in the way the ldd utility identified dynamically linked
libraries. If an attacker could trick a user into running ldd on a
malicious binary, it could result in arbitrary code execution with the
privileges of the user running ldd. (CVE-2009-5064)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the glibc library loaded ELF (Executable and Linking
Format) files. If a carefully-crafted ELF file was loaded by an
application linked against glibc, it could cause the application to crash
or, potentially, execute arbitrary code with the privileges of the user
running the application. (CVE-2010-0830)

It was found that the glibc addmntent() function, used by various mount
helper utilities, did not handle certain errors correctly when updating the
mtab (mounted file systems table) file. If such utilities had the setuid
bit set, a local attacker could use this flaw to corrupt the mtab file.
(CVE-2011-1089)

A denial of service flaw was found in the remote procedure call (RPC)
implementation in glibc. A remote attacker able to open a large number of
connections to an RPC service that is using the RPC implementation from
glibc, could use this flaw to make that service use an excessive amount of
CPU time. (CVE-2011-4609)

Red Hat would like to thank the Ubuntu Security Team for reporting
CVE-2010-0830, and Dan Rosenberg for reporting CVE-2011-1089. The Ubuntu
Security Team acknowledges Dan Rosenberg as the original reporter of
CVE-2010-0830.

Users should upgrade to these updated packages, which resolve these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
glibc-2.5-65.el5_7.3.src.rpm
File outdated by:  RHSA-2013:1411
    MD5: b6ecdf8349d9f2aff6d2caed53a82417
SHA-256: 24353afc93a811be24aea3ccb3322dbb755bda6dfc445831a89e03f464073508
 
IA-32:
glibc-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 2d9bda870c348fe0dac25f4ddd3410f1
SHA-256: 64b2a196e8fcb573720474778cdbe20cc0ddda3c061a8939ea5214c4d09b9f50
glibc-2.5-65.el5_7.3.i686.rpm
File outdated by:  RHSA-2013:1411
    MD5: f69068578cd420394abbf2f8b106f984
SHA-256: eb65aa34342b1b1de14a05f8c9950766d17da0c4e25fb5d35272709fdffde85b
glibc-common-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 0724acd2946925962eeb0ba3aeb877df
SHA-256: ca3ba5f0ce70a675b0b44fa5187931cf15e57b2139fb8958c3f3c79d4518a4c4
glibc-devel-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: cfcbff8a6e52de2d00cc67f23f1b64a3
SHA-256: d8fa4fefe7ce0b948b53fb1cf9ad3f1053336a40244605431fcfbba9f356bf49
glibc-headers-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 94b5e5ed7466f46c089e4717b4710484
SHA-256: c87647bdd735c9f0334933ed16416d96499b8cb0a52c3429bb9f0c583da8cb05
glibc-utils-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 97a20e2ef2d7407603ba53e95d46db37
SHA-256: f3e192343419ce9e6a0c98ffbc41ab42423df06a51f06a82fb22d4ced4246957
nscd-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 866b980c60e6e3a3444de63e3c7d452b
SHA-256: cf5e3740393bb18bdca1f6ac0ef07aef10101fe9a8e913e323d177d34b63398a
 
IA-64:
glibc-2.5-65.el5_7.3.i686.rpm
File outdated by:  RHSA-2013:1411
    MD5: f69068578cd420394abbf2f8b106f984
SHA-256: eb65aa34342b1b1de14a05f8c9950766d17da0c4e25fb5d35272709fdffde85b
glibc-2.5-65.el5_7.3.ia64.rpm
File outdated by:  RHSA-2013:1411
    MD5: a820673b7312dd1fb8ee5f2e739f8cc3
SHA-256: 61553c50bf87c36d1009db9be6922b51d4723fbefc9f1a1c1c08908db966ac10
glibc-common-2.5-65.el5_7.3.ia64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 1d2822cc2ae49073af4231476398d8ff
SHA-256: 63696e80ebb6859afd88ba8cbf31afeea9e5eb110ada5373d74b3af84b515051
glibc-devel-2.5-65.el5_7.3.ia64.rpm
File outdated by:  RHSA-2013:1411
    MD5: a74f86562446a06728b7a49556362361
SHA-256: d75a790f9ebfaebebaa21e5ca302f7ca435fc10dc938342124b68459af9fd1d4
glibc-headers-2.5-65.el5_7.3.ia64.rpm
File outdated by:  RHSA-2013:1411
    MD5: b4cfa525d238215e443e687f1371623d
SHA-256: 9c15161fbb43d021adee3caed03880877510e2354fc907e372558d8cf2c006f7
glibc-utils-2.5-65.el5_7.3.ia64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 3b1b992f94aef00d3121f8dfc5b2b113
SHA-256: 336b2dd413df118b1305866852c9901d83443141add86c196613965b14612ca3
nscd-2.5-65.el5_7.3.ia64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 27844ef21426050dc2a74a3a4496a397
SHA-256: 1f331a2401981fc79b04352a56c82e06ec39945b6ca9500b6fa831ba1a0832b3
 
PPC:
glibc-2.5-65.el5_7.3.ppc.rpm
File outdated by:  RHSA-2013:1411
    MD5: 43a9962a1078dc60a92ca4bc939fbc60
SHA-256: 26d30ff1c3304f8b67525fdb90225f4e3eb728a9e912d7e2c1d03859af0fb93f
glibc-2.5-65.el5_7.3.ppc64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 553805424c26fd1b9b3632d23f575410
SHA-256: fce7623060d5e4a47421e61948838b41c62b2240ea0ed4ed5bc31524afe4a9bd
glibc-common-2.5-65.el5_7.3.ppc.rpm
File outdated by:  RHSA-2013:1411
    MD5: dc382c275536d450814112f8bcd288e4
SHA-256: a22972c457d48b6f52f8aada05f1093a5fc3cd445089673f645f87533e6cb220
glibc-devel-2.5-65.el5_7.3.ppc.rpm
File outdated by:  RHSA-2013:1411
    MD5: 417c528e7b18a7a936fb6c2f94c8b1a0
SHA-256: c0f418e584432150af566b5b50e5141868995045eb4fa1f99823cc0742ddc181
glibc-devel-2.5-65.el5_7.3.ppc64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 2363b95edc329c0781858dfc0e6eed8e
SHA-256: 7618e424a0e14c25d6e97b7490210f9c5c35766fcfd66fbd51210aaef5601379
glibc-headers-2.5-65.el5_7.3.ppc.rpm
File outdated by:  RHSA-2013:1411
    MD5: 6a7566939b355dde665238cc70bae5f1
SHA-256: 02af3931bdccfe63b96b6c83123c681e8f2f57332023e421eff159c50eab7840
glibc-utils-2.5-65.el5_7.3.ppc.rpm
File outdated by:  RHSA-2013:1411
    MD5: e9e6ee0430a7fb0a547c22046c93104d
SHA-256: 2e7bfb458efaa67d23443a61f0667cfe53ea1e91c5026f80011d834c64f00665
nscd-2.5-65.el5_7.3.ppc.rpm
File outdated by:  RHSA-2013:1411
    MD5: 04769b0ca6e3c9701ccaff5d2f64e789
SHA-256: d91c4aca73250f08af9f907e29da72c912f3117b84e7788055b311da49921b07
 
s390x:
glibc-2.5-65.el5_7.3.s390.rpm
File outdated by:  RHSA-2013:1411
    MD5: 61cf7746ef1a70df053190d44e4b78d7
SHA-256: e2abc872154e55f7862f6205aae6a2c7e99896261306a96b165d98f058928acf
glibc-2.5-65.el5_7.3.s390x.rpm
File outdated by:  RHSA-2013:1411
    MD5: ecc648cb07f9556c04b8adb7e6c4f21b
SHA-256: 970cfc5db150bcbe135d2a0b95d7ab075afe5f52adc2454b745f7aa66cd80e3f
glibc-common-2.5-65.el5_7.3.s390x.rpm
File outdated by:  RHSA-2013:1411
    MD5: cb3f9789b0bae0fe47bbea1284f2f3b9
SHA-256: 122a4a6f7a4dbada2b4a827d395c587f8e7fb3a137a470f4c7fa28f9d006bbbe
glibc-devel-2.5-65.el5_7.3.s390.rpm
File outdated by:  RHSA-2013:1411
    MD5: 2ca7040070c2cd78cc7d6a2d9efbb086
SHA-256: a191c216b8d15f92000d4ee58f2b04c193b6fd3b0bae86a6267df4e49b46ae8f
glibc-devel-2.5-65.el5_7.3.s390x.rpm
File outdated by:  RHSA-2013:1411
    MD5: 2d2625800511db316ec399cb1679a37c
SHA-256: 2ae1c2e99d1a17ac624e5c1ce7e3b75bed0cd4e45a6b841bc2fdfa8e06562742
glibc-headers-2.5-65.el5_7.3.s390x.rpm
File outdated by:  RHSA-2013:1411
    MD5: b9ab76cf58168ed0e157440c1503511a
SHA-256: 5e4f18a9d408a0199fd7e51d27459a33e176a051fff41dead30c9c5bafbd0af2
glibc-utils-2.5-65.el5_7.3.s390x.rpm
File outdated by:  RHSA-2013:1411
    MD5: d851d0d99f1224efc9ed5de2cb5c73fd
SHA-256: ef2bb3a6fbf3f46dee92a67afc8a8f6021292a91cd2d3d67d34629b711e3dbb6
nscd-2.5-65.el5_7.3.s390x.rpm
File outdated by:  RHSA-2013:1411
    MD5: 2f2e314c1e00991ebfd72d83131fdb74
SHA-256: 7900d6b98b31531f34782848f703f79bccd4504b86b4890d4df4828052671cca
 
x86_64:
glibc-2.5-65.el5_7.3.i686.rpm
File outdated by:  RHSA-2013:1411
    MD5: f69068578cd420394abbf2f8b106f984
SHA-256: eb65aa34342b1b1de14a05f8c9950766d17da0c4e25fb5d35272709fdffde85b
glibc-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: fe7e9cf3bacdfba45a93f8c912b5d4b0
SHA-256: e40d6963d156d44f204f169d768649a34c4a2cf29a1e92f567ebe418094bb9df
glibc-common-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: afb759b5167258accdf422d0296efa86
SHA-256: 30845c7235b76a209fb953365e6ba3c39da922dd79160e17aa8dd5aa3787e085
glibc-devel-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: cfcbff8a6e52de2d00cc67f23f1b64a3
SHA-256: d8fa4fefe7ce0b948b53fb1cf9ad3f1053336a40244605431fcfbba9f356bf49
glibc-devel-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 657ab49bb6eaa0526fd60f1b904fd9d3
SHA-256: db10bda1ad6688611efead658d5923790800f3eaeed81f7dbdaa3c266582a89a
glibc-headers-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 25519ad628ac3822f09a17572203e019
SHA-256: 5647fc87e8b786ea38e7682530bc2997acd1be982b31348682588383405d2048
glibc-utils-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 752f983a4a23bd75f223fe8e74643a95
SHA-256: a80054021db3c773299830a960c1900a5e1c040bac34146c2a4ab757a76609ab
nscd-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: f9801289c667241d24ab02662759590a
SHA-256: 96c92c860f8ed16c1b98c635a0fc795ca17f7b664d5cb83d092c6de5b0780495
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
glibc-2.5-65.el5_7.3.src.rpm
File outdated by:  RHSA-2013:1411
    MD5: b6ecdf8349d9f2aff6d2caed53a82417
SHA-256: 24353afc93a811be24aea3ccb3322dbb755bda6dfc445831a89e03f464073508
 
IA-32:
glibc-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 2d9bda870c348fe0dac25f4ddd3410f1
SHA-256: 64b2a196e8fcb573720474778cdbe20cc0ddda3c061a8939ea5214c4d09b9f50
glibc-2.5-65.el5_7.3.i686.rpm
File outdated by:  RHSA-2013:1411
    MD5: f69068578cd420394abbf2f8b106f984
SHA-256: eb65aa34342b1b1de14a05f8c9950766d17da0c4e25fb5d35272709fdffde85b
glibc-common-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 0724acd2946925962eeb0ba3aeb877df
SHA-256: ca3ba5f0ce70a675b0b44fa5187931cf15e57b2139fb8958c3f3c79d4518a4c4
glibc-devel-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: cfcbff8a6e52de2d00cc67f23f1b64a3
SHA-256: d8fa4fefe7ce0b948b53fb1cf9ad3f1053336a40244605431fcfbba9f356bf49
glibc-headers-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 94b5e5ed7466f46c089e4717b4710484
SHA-256: c87647bdd735c9f0334933ed16416d96499b8cb0a52c3429bb9f0c583da8cb05
glibc-utils-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 97a20e2ef2d7407603ba53e95d46db37
SHA-256: f3e192343419ce9e6a0c98ffbc41ab42423df06a51f06a82fb22d4ced4246957
nscd-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: 866b980c60e6e3a3444de63e3c7d452b
SHA-256: cf5e3740393bb18bdca1f6ac0ef07aef10101fe9a8e913e323d177d34b63398a
 
x86_64:
glibc-2.5-65.el5_7.3.i686.rpm
File outdated by:  RHSA-2013:1411
    MD5: f69068578cd420394abbf2f8b106f984
SHA-256: eb65aa34342b1b1de14a05f8c9950766d17da0c4e25fb5d35272709fdffde85b
glibc-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: fe7e9cf3bacdfba45a93f8c912b5d4b0
SHA-256: e40d6963d156d44f204f169d768649a34c4a2cf29a1e92f567ebe418094bb9df
glibc-common-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: afb759b5167258accdf422d0296efa86
SHA-256: 30845c7235b76a209fb953365e6ba3c39da922dd79160e17aa8dd5aa3787e085
glibc-devel-2.5-65.el5_7.3.i386.rpm
File outdated by:  RHSA-2013:1411
    MD5: cfcbff8a6e52de2d00cc67f23f1b64a3
SHA-256: d8fa4fefe7ce0b948b53fb1cf9ad3f1053336a40244605431fcfbba9f356bf49
glibc-devel-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 657ab49bb6eaa0526fd60f1b904fd9d3
SHA-256: db10bda1ad6688611efead658d5923790800f3eaeed81f7dbdaa3c266582a89a
glibc-headers-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 25519ad628ac3822f09a17572203e019
SHA-256: 5647fc87e8b786ea38e7682530bc2997acd1be982b31348682588383405d2048
glibc-utils-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: 752f983a4a23bd75f223fe8e74643a95
SHA-256: a80054021db3c773299830a960c1900a5e1c040bac34146c2a4ab757a76609ab
nscd-2.5-65.el5_7.3.x86_64.rpm
File outdated by:  RHSA-2013:1411
    MD5: f9801289c667241d24ab02662759590a
SHA-256: 96c92c860f8ed16c1b98c635a0fc795ca17f7b664d5cb83d092c6de5b0780495
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

599056 - CVE-2010-0830 glibc: ld.so d_tag signedness error in elf_get_dynamic_info
688980 - CVE-2011-1089 glibc: Suid mount helpers fail to anticipate RLIMIT_FSIZE
692393 - CVE-2009-5064 glibc: ldd unexpected code execution issue
761245 - CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow
767299 - CVE-2011-4609 glibc: svc_run() produces high cpu usage when accept() fails with EMFILE error


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/