[arch-security] [ASA-201502-8] glibc: multiple issues

Christian Rebischke chris.rebischke at gmail.com
Mon Feb 9 04:35:56 UTC 2015


Arch Linux Security Advisory ASA-201502-8
=========================================

Severity: High
Date    : 2015-02-09
CVE-ID  : CVE-2015-1472 CVE-2015-1473
Package : glibc
Type    : multiple issues
Remote  : possible (still under investigation)
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package glibc before version 2.21-1 has multiple issues that could be
exploitable.

Resolution
==========

Upgrade to 2.21-1

# pacman -Syu "glibc>=2.21-1"

The problems have been fixed upstream in version 2.21.

Workaround
==========

None.

Description
===========

glibc has multiple issues including heap- and stack overflows that could be
exploitable. The heap- and stack-overflow is possible in the swscanf function.

Impact
======

The issue is still under investigation. It's not clear if the issue is
exploitable. In case of 'yes' this could result in various exploits in every
software that uses glibc. This includes remote-code-execution or
local exploits for gaining root access.

References
==========

https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2015-1472
https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2015-1473
https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150209/7c34531e/attachment.asc>


More information about the arch-security mailing list