From: bugzilla@redhat.com To: redhat-watch-list@redhat.com, redhat-announce-list@redhat.com Date: Wed, 6 Nov 2002 19:58 -0500 --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated glibc packages fix vulnerabilities in resolver Advisory ID: RHSA-2002:197-09 Issue date: 2002-09-10 Updated on: 2002-11-06 Product: Red Hat Linux Keywords: glibc resolv DNS Cross references: Obsoletes: RHSA-2002:166-07 CVE Names: CAN-2002-1146 --------------------------------------------------------------------- 1. Topic: Updated glibc packages are available to fix a buffer overflow in the resolver. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, sparc, sparcv9 Red Hat Linux 7.0 - alpha, alphaev6, i386, i686 Red Hat Linux 7.1 - alpha, alphaev6, i386, i686, ia64 Red Hat Linux 7.2 - i386, i686, ia64 Red Hat Linux 7.3 - i386, i686 3. Problem description: The GNU C library package, glibc, contains standard libraries used by multiple programs on the system. A read buffer overflow vulnerability exists in the glibc resolver code in versions of glibc up to and including 2.2.5. The vulnerability is triggered by DNS packets larger than 1024 bytes and can cause applications to crash. All Red Hat Linux users are advised to upgrade to these errata packages which contain a patch to correct this vulnerability. This errata has been updated to work with programs querying DNS from extremely small stack sizes, such as MySQL.
Created attachment 5961 [details, diff] proposed gentoo-x86/sys-libs/ glibc/files/2.2.5/glibc-2.2.5-maxpacket.diff Adopted from RedHat; fixes the security issue and the stack size problem the vendor patch caused.
Martin, any thoughts or comments on this one?
I am guessing if its a problem for redhat, it will be a general issue. Problem though is if its same for 2.3.1 ... Daniel, did anybody else have this SA ?
Err, is this thing going anywhere ? Dont really run 2.2.5 myself anymore, but if it apply clean, cannot see why not to add it ?
I've looked around and I haven't seen any other distributions giving out advisories about this specific matter. Martin, I'll leave it up to you to apply this as you are the one most familiar with the glibc ebuilds.
Ditto, not even Mandrake has it, and they usually sync with Redhat once every few weeks. Ill have a look at what other patches Redhat have in there. Might be that they patches for something else, that broke this. Not high priority right now, as 1.4 are keeping me busy.
Can this bug be closed now?
Alright I'm closing this anyway.. version is just old and it's all good now.
