Security update for glibc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:0076-1 Final 1 1 2018-01-12T08:44:04Z current 2018-01-12T08:44:04Z 2018-01-12T08:44:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glibc This update for glibc fixes the following issues: - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A buffer manipulation vulnerability in nscd has been fixed that could possibly have lead to an nscd daemon crash or code execution as the user running nscd. [CVE-2014-9984, bsc#1043984] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SERVER-12-2018-54 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20180076-1/ Link for SUSE-SU-2018:0076-1 https://lists.suse.com/pipermail/sle-security-updates/2018-January/003594.html E-Mail link for SUSE-SU-2018:0076-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1043984 SUSE Bug 1043984 https://bugzilla.suse.com/1074293 SUSE Bug 1074293 https://www.suse.com/security/cve/CVE-2014-9984/ SUSE CVE CVE-2014-9984 page https://www.suse.com/security/cve/CVE-2018-1000001/ SUSE CVE CVE-2018-1000001 page SUSE Linux Enterprise Server 12-LTSS glibc-2.19-22.24.5 glibc-32bit-2.19-22.24.5 glibc-devel-2.19-22.24.5 glibc-devel-32bit-2.19-22.24.5 glibc-html-2.19-22.24.5 glibc-i18ndata-2.19-22.24.5 glibc-info-2.19-22.24.5 glibc-locale-2.19-22.24.5 glibc-locale-32bit-2.19-22.24.5 glibc-profile-2.19-22.24.5 glibc-profile-32bit-2.19-22.24.5 nscd-2.19-22.24.5 glibc-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-32bit-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-devel-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-devel-32bit-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-html-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-i18ndata-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-info-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-locale-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-locale-32bit-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-profile-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS glibc-profile-32bit-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS nscd-2.19-22.24.5 as a component of SUSE Linux Enterprise Server 12-LTSS nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd. CVE-2014-9984 SUSE Linux Enterprise Server 12-LTSS:glibc-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-32bit-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-devel-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-devel-32bit-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-html-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-i18ndata-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-info-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-locale-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-locale-32bit-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-profile-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-profile-32bit-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:nscd-2.19-22.24.5 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180076-1/ https://www.suse.com/security/cve/CVE-2014-9984.html CVE-2014-9984 https://bugzilla.suse.com/1043984 SUSE Bug 1043984 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. CVE-2018-1000001 SUSE Linux Enterprise Server 12-LTSS:glibc-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-32bit-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-devel-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-devel-32bit-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-html-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-i18ndata-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-info-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-locale-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-locale-32bit-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-profile-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:glibc-profile-32bit-2.19-22.24.5 SUSE Linux Enterprise Server 12-LTSS:nscd-2.19-22.24.5 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20180076-1/ https://www.suse.com/security/cve/CVE-2018-1000001.html CVE-2018-1000001 https://bugzilla.suse.com/1074293 SUSE Bug 1074293 https://bugzilla.suse.com/1099047 SUSE Bug 1099047 https://bugzilla.suse.com/1123874 SUSE Bug 1123874