ESB-2018.0204 - [Ubuntu] eglibc: Multiple vulnerabilities 2018-01-18

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0204
           Multiple GNU C Library vulnerabilities affect Ubuntu
                              18 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           eglibc
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Root Compromise   -- Existing Account
                   Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000001 CVE-2017-1000409 CVE-2017-1000408
                   CVE-2017-17426 CVE-2017-16997 CVE-2017-15804
                   CVE-2017-15670  

Reference:         ESB-2018.0157

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3536-1
   https://www.ubuntu.com/usn/usn-3534-1

Comment: This bulletin contains two (2) Ubuntu security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-3536-1: GNU C Library vulnerability
Ubuntu Security Notice USN-3536-1
17th January, 2018

eglibc vulnerability
A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 12.04 LTS
Summary
The GNU C library could be made to run programs as an administrator.

Software description
eglibc - GNU C Library
Details
It was discovered that the GNU C library did not properly handle all of
the possible return values from the kernel getcwd(2) syscall. A local
attacker could potentially exploit this to execute arbitrary code in setuid
programs and gain administrative privileges. (CVE-2018-1000001)

Update instructions
The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libc6 2.15-0ubuntu10.21
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References
CVE-2018-1000001

- ---

USN-3534-1: GNU C Library vulnerabilities
Ubuntu Security Notice USN-3534-1
17th January, 2018

eglibc, glibc vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 17.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Summary
Several security issues were fixed in the GNU C library.

Software description
eglibc - GNU C Library
glibc - GNU C Library
Details
It was discovered that the GNU C library did not properly handle all of
the possible return values from the kernel getcwd(2) syscall. A local
attacker could potentially exploit this to execute arbitrary code in setuid
programs and gain administrative privileges. (CVE-2018-1000001)

A memory leak was discovered in the _dl_init_paths() function in the GNU
C library dynamic loader. A local attacker could potentially exploit this
with a specially crafted value in the LD_HWCAP_MASK environment variable,
in combination with CVE-2017-1000409 and another vulnerability on a system
with hardlink protections disabled, in order to gain administrative
privileges. (CVE-2017-1000408)

A heap-based buffer overflow was discovered in the _dl_init_paths()
function in the GNU C library dynamic loader. A local attacker could
potentially exploit this with a specially crafted value in the
LD_LIBRARY_PATH environment variable, in combination with CVE-2017-1000408
and another vulnerability on a system with hardlink protections disabled,
in order to gain administrative privileges. (CVE-2017-1000409)

An off-by-one error leading to a heap-based buffer overflow was discovered
in the GNU C library glob() implementation. An attacker could potentially
exploit this to cause a denial of service or execute arbitrary code via a
maliciously crafted pattern. (CVE-2017-15670)

A heap-based buffer overflow was discovered during unescaping of user names
with the ~ operator in the GNU C library glob() implementation. An attacker
could potentially exploit this to cause a denial of service or execute
arbitrary code via a maliciously crafted pattern. (CVE-2017-15804)

It was discovered that the GNU C library dynamic loader mishandles RPATH
and RUNPATH containing $ORIGIN for privileged (setuid or AT_SECURE)
programs. A local attacker could potentially exploit this by providing a
specially crafted library in the current working directory in order to
gain administrative privileges. (CVE-2017-16997)

It was discovered that the GNU C library malloc() implementation could
return a memory block that is too small if an attempt is made to allocate
an object whose size is close to SIZE_MAX, resulting in a heap-based
overflow. An attacker could potentially exploit this to cause a denial of
service or execute arbitrary code. This issue only affected Ubuntu 17.10.
(CVE-2017-17426)

Update instructions
The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libc6 2.26-0ubuntu2.1
Ubuntu 16.04 LTS:
libc6 2.23-0ubuntu10
Ubuntu 14.04 LTS:
libc6 2.19-0ubuntu6.14
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References
CVE-2017-1000408, CVE-2017-1000409, CVE-2017-15670, CVE-2017-15804, CVE-2017-16997, CVE-2017-17426, CVE-2018-1000001

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmAa0ox+lLeg9Ub1AQhnxg/+PdmXZXjzOrTIXe5UL2qQ8ZajAnpMs6ce
EcZbAahmbC2ZPsvNwTGKcU3Ern1dT30Br6oBjRI25REOMGVK/bO/s0MkMy2Gb3tN
EKSqsOvqRAiRR6j/gXCzTKkul/Al74uSYg42UhflcOKv9p/ToyVsYNF9IJ8H2XYf
x2UCKXrN86089OggQ81CxERJrh+AfjadSDAgs8flf0+aV9/Anamm6ejXID3kUWki
LLrQvQjXSSieWHiIoxY//FdBcGaUBZf9IvZQEe9qkUOyyY9xtJoFE7JFN58YwM8O
2DDwR4B5TahrqlYvAxw6Pdz1A1NDXj3eohoAsaSF778ianhhiAK0ALx8IRpAqBlg
Az25PK6zvQdIJQtA/804oKdxj0VP9oHJjK5UMmFN6BeK3g+uO5CckSHa0LpT+mN5
wj53mgGpb5S8WIFkwHiWxbKjaUCpi0tIoain99OkfTsi0bFVt3X07czSvYGWR37D
3+yHxRMZeZ1UERwx3SefQY3GizYO01ileItZMsg0IfvG+6STMBEjt8NJmXlsTZfL
4IOuf775DOKpfM8qTncYatEglj0utZRlLqV3dngQIt3dTWg7ahYK2VFIRz6Hva34
l4DC6a0KzTJt8Ws3DCeYy7AjYxroFYgvbKVzyMbL0P5f1vGokI1kRrnV+38JlB/O
efzQH4lKxkc=
=X9y+
-----END PGP SIGNATURE-----

« Back to bulletins