FEDORA-2018-8e27ad96ed — security update for glibc

stable

glibc-2.25-13.fc26

FEDORA-2018-8e27ad96ed created by fweimer 7 years ago for Fedora 26

This update addresses two security vulnerabilities:

CVE-2017-15670, CVE-2017-15671, CVE-2017-15804: Various vulnerabilities could lead to memory corruption in the glob and glob64 function. (#1505298, RHBZ##1504807)
CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with $ORIGIN rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (#1526866).
CVE-2018-1000001: getcwd would sometimes return a non-absolute path, confusing the realpath function, leading to privilege escalation in conjunction with user namespaces. (#1533837)

In addition, this update replaces the dynamic linker trampoline on x86-64 with a version which uses the XSAVE instruction if it is available. This improves compatibility with future hardware and compilers which do not follow the x86-64 ABI. This update also adjusts the thread stack size accounting to provide additional stack space compared to previous glibc versions (to avoid introducing #1527887).

Reboot Required

After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-8e27ad96ed

This update has been submitted for testing by fweimer.

7 years ago

This update has been pushed to testing.

7 years ago

filiperosset commented & provided feedback 7 years ago

karma

no regressions noted

hreindl commented & provided feedback 7 years ago

karma

works for me

samoht0 commented & provided feedback 7 years ago

karma

no regressions noted

This update has been submitted for batched by bodhi.

7 years ago

This update has been submitted for stable by bodhi.

7 years ago

This update has been pushed to stable.

7 years ago

Please log in to add feedback.

Metadata

Type

security

Severity

medium

Karma

Signed

Content Type

RPM

Test Gating

failed

Autopush Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

disabled

Dates

submitted

7 years ago

in testing

7 years ago

in stable

7 years ago

Builds

glibc-2.25-13.fc26

BZ#1504807 CVE-2017-15670 CVE-2017-15671 glibc: various flaws [fedora-all]

BZ#1526866 CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries [fedora-all]

BZ#1533837 CVE-2018-1000001 glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation [fedora-all]

glibc-2.25-13.fc26

Automated Test Results

For help debugging failed Fedora CI tests (fedora-ci.*), contact the Fedora CI team.
For help debugging failed Fedora CoreOS tests (coreos.*), contact the Fedora CoreOS team.
For help debugging failed openQA tests (update.*), contact the Fedora Quality team, who will usually investigate and diagnose all failures within 24 hours.

failed