Security update for glibc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1527-1 Final 1 1 2016-06-08T10:13:53Z current 2016-06-08T10:13:53Z 2016-06-08T10:13:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glibc This update for glibc fixes the following issues: - glob-altdirfunc.patch: Do not copy d_name field of struct dirent (CVE-2016-1234, boo#969727, BZ #19779) - nss-dns-memleak-2.patch: fix memory leak in _nss_dns_gethostbyname4_r (boo#973010) - nss-dns-getnetbyname.patch: fix stack overflow in _nss_dns_getnetbyname_r (CVE-2016-3075, boo#973164, BZ #19879) - getaddrinfo-hostent-conv-stack-overflow.patch: getaddrinfo stack overflow in hostent conversion (CVE-2016-3706, boo#980483, BZ #20010) - clntudp-call-alloca.patch: do not use alloca in clntudp_call (CVE-2016-4429, boo#980854, BZ #20112) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html E-Mail link for openSUSE-SU-2016:1527-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 glibc-2.19-16.25.1 glibc-32bit-2.19-16.25.2 glibc-debuginfo-2.19-16.25.1 glibc-debuginfo-32bit-2.19-16.25.2 glibc-debugsource-2.19-16.25.1 glibc-devel-2.19-16.25.1 glibc-devel-32bit-2.19-16.25.2 glibc-devel-debuginfo-2.19-16.25.1 glibc-devel-debuginfo-32bit-2.19-16.25.2 glibc-devel-static-2.19-16.25.1 glibc-devel-static-32bit-2.19-16.25.2 glibc-extra-2.19-16.25.1 glibc-extra-debuginfo-2.19-16.25.1 glibc-html-2.19-16.25.1 glibc-i18ndata-2.19-16.25.1 glibc-info-2.19-16.25.1 glibc-locale-2.19-16.25.1 glibc-locale-32bit-2.19-16.25.2 glibc-locale-debuginfo-2.19-16.25.1 glibc-locale-debuginfo-32bit-2.19-16.25.2 glibc-obsolete-2.19-16.25.1 glibc-obsolete-debuginfo-2.19-16.25.1 glibc-profile-2.19-16.25.1 glibc-profile-32bit-2.19-16.25.2 glibc-testsuite-2.19-16.25.2 glibc-utils-2.19-16.25.1 glibc-utils-32bit-2.19-16.25.1 glibc-utils-debuginfo-2.19-16.25.1 glibc-utils-debuginfo-32bit-2.19-16.25.1 glibc-utils-debugsource-2.19-16.25.1 nscd-2.19-16.25.1 nscd-debuginfo-2.19-16.25.1 glibc-2.19-16.25.1 as a component of openSUSE 13.2 glibc-32bit-2.19-16.25.2 as a component of openSUSE 13.2 glibc-debuginfo-2.19-16.25.1 as a component of openSUSE 13.2 glibc-debuginfo-32bit-2.19-16.25.2 as a component of openSUSE 13.2 glibc-debugsource-2.19-16.25.1 as a component of openSUSE 13.2 glibc-devel-2.19-16.25.1 as a component of openSUSE 13.2 glibc-devel-32bit-2.19-16.25.2 as a component of openSUSE 13.2 glibc-devel-debuginfo-2.19-16.25.1 as a component of openSUSE 13.2 glibc-devel-debuginfo-32bit-2.19-16.25.2 as a component of openSUSE 13.2 glibc-devel-static-2.19-16.25.1 as a component of openSUSE 13.2 glibc-devel-static-32bit-2.19-16.25.2 as a component of openSUSE 13.2 glibc-extra-2.19-16.25.1 as a component of openSUSE 13.2 glibc-extra-debuginfo-2.19-16.25.1 as a component of openSUSE 13.2 glibc-html-2.19-16.25.1 as a component of openSUSE 13.2 glibc-i18ndata-2.19-16.25.1 as a component of openSUSE 13.2 glibc-info-2.19-16.25.1 as a component of openSUSE 13.2 glibc-locale-2.19-16.25.1 as a component of openSUSE 13.2 glibc-locale-32bit-2.19-16.25.2 as a component of openSUSE 13.2 glibc-locale-debuginfo-2.19-16.25.1 as a component of openSUSE 13.2 glibc-locale-debuginfo-32bit-2.19-16.25.2 as a component of openSUSE 13.2 glibc-obsolete-2.19-16.25.1 as a component of openSUSE 13.2 glibc-obsolete-debuginfo-2.19-16.25.1 as a component of openSUSE 13.2 glibc-profile-2.19-16.25.1 as a component of openSUSE 13.2 glibc-profile-32bit-2.19-16.25.2 as a component of openSUSE 13.2 glibc-testsuite-2.19-16.25.2 as a component of openSUSE 13.2 glibc-utils-2.19-16.25.1 as a component of openSUSE 13.2 glibc-utils-32bit-2.19-16.25.1 as a component of openSUSE 13.2 glibc-utils-debuginfo-2.19-16.25.1 as a component of openSUSE 13.2 glibc-utils-debuginfo-32bit-2.19-16.25.1 as a component of openSUSE 13.2 glibc-utils-debugsource-2.19-16.25.1 as a component of openSUSE 13.2 nscd-2.19-16.25.1 as a component of openSUSE 13.2 nscd-debuginfo-2.19-16.25.1 as a component of openSUSE 13.2 Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name. CVE-2016-1234 openSUSE 13.2:glibc-2.19-16.25.1 openSUSE 13.2:glibc-32bit-2.19-16.25.2 openSUSE 13.2:glibc-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-debugsource-2.19-16.25.1 openSUSE 13.2:glibc-devel-2.19-16.25.1 openSUSE 13.2:glibc-devel-32bit-2.19-16.25.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-devel-static-2.19-16.25.1 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.25.2 openSUSE 13.2:glibc-extra-2.19-16.25.1 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-html-2.19-16.25.1 openSUSE 13.2:glibc-i18ndata-2.19-16.25.1 openSUSE 13.2:glibc-info-2.19-16.25.1 openSUSE 13.2:glibc-locale-2.19-16.25.1 openSUSE 13.2:glibc-locale-32bit-2.19-16.25.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-obsolete-2.19-16.25.1 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-profile-2.19-16.25.1 openSUSE 13.2:glibc-profile-32bit-2.19-16.25.2 openSUSE 13.2:glibc-testsuite-2.19-16.25.2 openSUSE 13.2:glibc-utils-2.19-16.25.1 openSUSE 13.2:glibc-utils-32bit-2.19-16.25.1 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.25.1 openSUSE 13.2:glibc-utils-debugsource-2.19-16.25.1 openSUSE 13.2:nscd-2.19-16.25.1 openSUSE 13.2:nscd-debuginfo-2.19-16.25.1 moderate 4.2 AV:L/AC:L/Au:S/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html https://www.suse.com/security/cve/CVE-2016-1234.html CVE-2016-1234 https://bugzilla.suse.com/1020940 SUSE Bug 1020940 https://bugzilla.suse.com/969727 SUSE Bug 969727 https://bugzilla.suse.com/988770 SUSE Bug 988770 https://bugzilla.suse.com/988782 SUSE Bug 988782 https://bugzilla.suse.com/989127 SUSE Bug 989127 Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name. CVE-2016-3075 openSUSE 13.2:glibc-2.19-16.25.1 openSUSE 13.2:glibc-32bit-2.19-16.25.2 openSUSE 13.2:glibc-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-debugsource-2.19-16.25.1 openSUSE 13.2:glibc-devel-2.19-16.25.1 openSUSE 13.2:glibc-devel-32bit-2.19-16.25.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-devel-static-2.19-16.25.1 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.25.2 openSUSE 13.2:glibc-extra-2.19-16.25.1 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-html-2.19-16.25.1 openSUSE 13.2:glibc-i18ndata-2.19-16.25.1 openSUSE 13.2:glibc-info-2.19-16.25.1 openSUSE 13.2:glibc-locale-2.19-16.25.1 openSUSE 13.2:glibc-locale-32bit-2.19-16.25.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-obsolete-2.19-16.25.1 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-profile-2.19-16.25.1 openSUSE 13.2:glibc-profile-32bit-2.19-16.25.2 openSUSE 13.2:glibc-testsuite-2.19-16.25.2 openSUSE 13.2:glibc-utils-2.19-16.25.1 openSUSE 13.2:glibc-utils-32bit-2.19-16.25.1 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.25.1 openSUSE 13.2:glibc-utils-debugsource-2.19-16.25.1 openSUSE 13.2:nscd-2.19-16.25.1 openSUSE 13.2:nscd-debuginfo-2.19-16.25.1 moderate 4.0 AV:N/AC:H/Au:N/C:N/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html https://www.suse.com/security/cve/CVE-2016-3075.html CVE-2016-3075 https://bugzilla.suse.com/973164 SUSE Bug 973164 Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458. CVE-2016-3706 openSUSE 13.2:glibc-2.19-16.25.1 openSUSE 13.2:glibc-32bit-2.19-16.25.2 openSUSE 13.2:glibc-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-debugsource-2.19-16.25.1 openSUSE 13.2:glibc-devel-2.19-16.25.1 openSUSE 13.2:glibc-devel-32bit-2.19-16.25.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-devel-static-2.19-16.25.1 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.25.2 openSUSE 13.2:glibc-extra-2.19-16.25.1 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-html-2.19-16.25.1 openSUSE 13.2:glibc-i18ndata-2.19-16.25.1 openSUSE 13.2:glibc-info-2.19-16.25.1 openSUSE 13.2:glibc-locale-2.19-16.25.1 openSUSE 13.2:glibc-locale-32bit-2.19-16.25.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-obsolete-2.19-16.25.1 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-profile-2.19-16.25.1 openSUSE 13.2:glibc-profile-32bit-2.19-16.25.2 openSUSE 13.2:glibc-testsuite-2.19-16.25.2 openSUSE 13.2:glibc-utils-2.19-16.25.1 openSUSE 13.2:glibc-utils-32bit-2.19-16.25.1 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.25.1 openSUSE 13.2:glibc-utils-debugsource-2.19-16.25.1 openSUSE 13.2:nscd-2.19-16.25.1 openSUSE 13.2:nscd-debuginfo-2.19-16.25.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html https://www.suse.com/security/cve/CVE-2016-3706.html CVE-2016-3706 https://bugzilla.suse.com/980483 SUSE Bug 980483 https://bugzilla.suse.com/997423 SUSE Bug 997423 Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets. CVE-2016-4429 openSUSE 13.2:glibc-2.19-16.25.1 openSUSE 13.2:glibc-32bit-2.19-16.25.2 openSUSE 13.2:glibc-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-debugsource-2.19-16.25.1 openSUSE 13.2:glibc-devel-2.19-16.25.1 openSUSE 13.2:glibc-devel-32bit-2.19-16.25.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-devel-static-2.19-16.25.1 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.25.2 openSUSE 13.2:glibc-extra-2.19-16.25.1 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-html-2.19-16.25.1 openSUSE 13.2:glibc-i18ndata-2.19-16.25.1 openSUSE 13.2:glibc-info-2.19-16.25.1 openSUSE 13.2:glibc-locale-2.19-16.25.1 openSUSE 13.2:glibc-locale-32bit-2.19-16.25.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.25.2 openSUSE 13.2:glibc-obsolete-2.19-16.25.1 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-profile-2.19-16.25.1 openSUSE 13.2:glibc-profile-32bit-2.19-16.25.2 openSUSE 13.2:glibc-testsuite-2.19-16.25.2 openSUSE 13.2:glibc-utils-2.19-16.25.1 openSUSE 13.2:glibc-utils-32bit-2.19-16.25.1 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.25.1 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.25.1 openSUSE 13.2:glibc-utils-debugsource-2.19-16.25.1 openSUSE 13.2:nscd-2.19-16.25.1 openSUSE 13.2:nscd-debuginfo-2.19-16.25.1 moderate 2.5 AV:N/AC:H/Au:N/C:N/I:N/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html https://www.suse.com/security/cve/CVE-2016-4429.html CVE-2016-4429 https://bugzilla.suse.com/980854 SUSE Bug 980854