Security update for glibc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1629-1 Final 1 1 2017-06-20T21:51:20Z current 2017-06-20T21:51:20Z 2017-06-20T21:51:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glibc This update for glibc fixes the following issues: - CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357] - A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043] This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00024.html E-Mail link for openSUSE-SU-2017:1629-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 glibc-2.22-4.9.1 glibc-32bit-2.22-4.9.1 glibc-devel-2.22-4.9.1 glibc-devel-32bit-2.22-4.9.1 glibc-devel-static-2.22-4.9.1 glibc-devel-static-32bit-2.22-4.9.1 glibc-extra-2.22-4.9.1 glibc-html-2.22-4.9.1 glibc-i18ndata-2.22-4.9.1 glibc-info-2.22-4.9.1 glibc-locale-2.22-4.9.1 glibc-locale-32bit-2.22-4.9.1 glibc-obsolete-2.22-4.9.1 glibc-profile-2.22-4.9.1 glibc-profile-32bit-2.22-4.9.1 glibc-testsuite-2.22-4.9.2 glibc-utils-2.22-4.9.1 glibc-utils-32bit-2.22-4.9.1 nscd-2.22-4.9.1 glibc-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-32bit-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-devel-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-devel-32bit-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-devel-static-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-devel-static-32bit-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-extra-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-html-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-i18ndata-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-info-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-locale-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-locale-32bit-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-obsolete-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-profile-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-profile-32bit-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-testsuite-2.22-4.9.2 as a component of openSUSE Leap 42.2 glibc-utils-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc-utils-32bit-2.22-4.9.1 as a component of openSUSE Leap 42.2 nscd-2.22-4.9.1 as a component of openSUSE Leap 42.2 glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. CVE-2017-1000366 openSUSE Leap 42.2:glibc-2.22-4.9.1 openSUSE Leap 42.2:glibc-32bit-2.22-4.9.1 openSUSE Leap 42.2:glibc-devel-2.22-4.9.1 openSUSE Leap 42.2:glibc-devel-32bit-2.22-4.9.1 openSUSE Leap 42.2:glibc-devel-static-2.22-4.9.1 openSUSE Leap 42.2:glibc-devel-static-32bit-2.22-4.9.1 openSUSE Leap 42.2:glibc-extra-2.22-4.9.1 openSUSE Leap 42.2:glibc-html-2.22-4.9.1 openSUSE Leap 42.2:glibc-i18ndata-2.22-4.9.1 openSUSE Leap 42.2:glibc-info-2.22-4.9.1 openSUSE Leap 42.2:glibc-locale-2.22-4.9.1 openSUSE Leap 42.2:glibc-locale-32bit-2.22-4.9.1 openSUSE Leap 42.2:glibc-obsolete-2.22-4.9.1 openSUSE Leap 42.2:glibc-profile-2.22-4.9.1 openSUSE Leap 42.2:glibc-profile-32bit-2.22-4.9.1 openSUSE Leap 42.2:glibc-testsuite-2.22-4.9.2 openSUSE Leap 42.2:glibc-utils-2.22-4.9.1 openSUSE Leap 42.2:glibc-utils-32bit-2.22-4.9.1 openSUSE Leap 42.2:nscd-2.22-4.9.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00024.html https://www.suse.com/security/cve/CVE-2017-1000366.html CVE-2017-1000366 https://bugzilla.suse.com/1037551 SUSE Bug 1037551 https://bugzilla.suse.com/1039357 SUSE Bug 1039357 https://bugzilla.suse.com/1071319 SUSE Bug 1071319