Security update for glibc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2159-1 Final 1 1 2018-08-01T12:03:54Z current 2018-08-01T12:03:54Z 2018-08-01T12:03:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glibc This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00000.html E-Mail link for openSUSE-SU-2018:2159-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 glibc-2.26-lp150.11.6.120 glibc-32bit-2.26-lp150.11.6.120 glibc-devel-2.26-lp150.11.6.120 glibc-devel-32bit-2.26-lp150.11.6.120 glibc-devel-static-2.26-lp150.11.6.120 glibc-devel-static-32bit-2.26-lp150.11.6.120 glibc-extra-2.26-lp150.11.6.120 glibc-html-2.26-lp150.11.6.120 glibc-i18ndata-2.26-lp150.11.6.120 glibc-info-2.26-lp150.11.6.120 glibc-locale-2.26-lp150.11.6.120 glibc-locale-32bit-2.26-lp150.11.6.120 glibc-profile-2.26-lp150.11.6.120 glibc-profile-32bit-2.26-lp150.11.6.120 glibc-testsuite-src-2.26-lp150.11.6.120 glibc-utils-2.26-lp150.11.6.120 glibc-utils-32bit-2.26-lp150.11.6.120 glibc-utils-src-2.26-lp150.11.6.120 nscd-2.26-lp150.11.6.120 glibc-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-32bit-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-devel-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-devel-32bit-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-devel-static-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-devel-static-32bit-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-extra-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-html-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-i18ndata-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-info-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-locale-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-locale-32bit-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-profile-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-profile-32bit-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-testsuite-src-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-utils-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-utils-32bit-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 glibc-utils-src-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 nscd-2.26-lp150.11.6.120 as a component of openSUSE Leap 15.0 An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution. CVE-2017-18269 openSUSE Leap 15.0:glibc-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-static-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-static-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-extra-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-html-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-i18ndata-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-info-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-locale-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-locale-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-profile-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-profile-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-testsuite-src-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-src-2.26-lp150.11.6.120 openSUSE Leap 15.0:nscd-2.26-lp150.11.6.120 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00000.html https://www.suse.com/security/cve/CVE-2017-18269.html CVE-2017-18269 https://bugzilla.suse.com/1094150 SUSE Bug 1094150 https://bugzilla.suse.com/1118435 SUSE Bug 1118435 stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. CVE-2018-11236 openSUSE Leap 15.0:glibc-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-static-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-static-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-extra-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-html-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-i18ndata-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-info-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-locale-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-locale-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-profile-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-profile-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-testsuite-src-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-src-2.26-lp150.11.6.120 openSUSE Leap 15.0:nscd-2.26-lp150.11.6.120 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00000.html https://www.suse.com/security/cve/CVE-2018-11236.html CVE-2018-11236 https://bugzilla.suse.com/1094161 SUSE Bug 1094161 https://bugzilla.suse.com/1118435 SUSE Bug 1118435 An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper. CVE-2018-11237 openSUSE Leap 15.0:glibc-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-static-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-devel-static-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-extra-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-html-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-i18ndata-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-info-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-locale-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-locale-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-profile-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-profile-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-testsuite-src-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-32bit-2.26-lp150.11.6.120 openSUSE Leap 15.0:glibc-utils-src-2.26-lp150.11.6.120 openSUSE Leap 15.0:nscd-2.26-lp150.11.6.120 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00000.html https://www.suse.com/security/cve/CVE-2018-11237.html CVE-2018-11237 https://bugzilla.suse.com/1092877 SUSE Bug 1092877 https://bugzilla.suse.com/1094154 SUSE Bug 1094154 https://bugzilla.suse.com/1118435 SUSE Bug 1118435