Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 608656

Summary: sys-libs/glibc: multiple vulnerabilities
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html
Whiteboard: A3 [ebuild]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-08 19:43:46 UTC
CVE-2015-5180

DNS resolver NULL pointer dereference with crafted record type

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=18784

Upstream patch:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc82b0a2dfe7dbd35671c10510a8da1043d746a5



CVE-2016-6323

The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation.

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=20435

Upstream patch:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617


@ Maintainer(s): Both vulnerabilities are fixed in >=sys-libs/glibc-2.25. Please bump the package and tell us if you plan to backport fixes.
Comment 1 SpanKY gentoo-dev 2017-02-09 05:09:32 UTC
please do not file "multiple vulnerabilities" bugs.  these are awful to track.  create one bug per CVE/fix.
Comment 2 SpanKY gentoo-dev 2017-02-09 05:09:32 UTC
please do not file "multiple vulnerabilities" bugs.  these are awful to track.  create one bug per CVE/fix.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-09 09:16:40 UTC
Divided into two bugs, see bug 608706 and bug 608698.