Bug 608656

Summary:	sys-libs/glibc: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED OBSOLETE
Severity:	normal	CC:	toolchain
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html
Whiteboard:	A3 [ebuild]
Package list:		Runtime testing required:	---

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-08 19:43:46 UTC

CVE-2015-5180

DNS resolver NULL pointer dereference with crafted record type

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=18784

Upstream patch:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc82b0a2dfe7dbd35671c10510a8da1043d746a5



CVE-2016-6323

The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation.

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=20435

Upstream patch:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617


@ Maintainer(s): Both vulnerabilities are fixed in >=sys-libs/glibc-2.25. Please bump the package and tell us if you plan to backport fixes.

Comment 1 SpanKY gentoo-dev

2017-02-09 05:09:32 UTC

please do not file "multiple vulnerabilities" bugs.  these are awful to track.  create one bug per CVE/fix.

Comment 2 SpanKY gentoo-dev

2017-02-09 05:09:32 UTC

please do not file "multiple vulnerabilities" bugs.  these are awful to track.  create one bug per CVE/fix.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-09 09:16:40 UTC

Divided into two bugs, see bug 608706 and bug 608698.