Security update for glibc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0510-1 Final 1 1 2016-02-18T20:01:40Z current 2016-02-18T20:01:40Z 2016-02-18T20:01:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glibc This update for glibc fixes the following issues: - errorcheck-mutex-no-elision.patch: Don't do lock elision on an error checking mutex (boo#956716, BZ #17514) - reinitialize-dl_load_write_lock.patch: Reinitialize dl_load_write_lock on fork (boo#958315, BZ #19282) - send-dg-buffer-overflow.patch: Fix getaddrinfo stack-based buffer overflow (CVE-2015-7547, boo#961721, BZ #18665) - strftime-range-check.patch: Add range check on time fields (CVE-2015-8776, boo#962736, BZ #18985) - hcreate-overflow-check.patch: Handle overflow in hcreate (CVE-2015-8778, boo#962737, BZ #18240) - refactor-nan-parsing.patch: Refactor strtod parsing of NaN payloads (CVE-2014-9761, boo#962738, BZ #16962) - catopen-unbound-alloca.patch: Fix unbound alloca in catopen (CVE-2015-8779, boo#962739, BZ #17905) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html E-Mail link for openSUSE-SU-2016:0510-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 glibc-2.19-16.22.2 glibc-32bit-2.19-16.22.2 glibc-debuginfo-2.19-16.22.2 glibc-debuginfo-32bit-2.19-16.22.2 glibc-debugsource-2.19-16.22.2 glibc-devel-2.19-16.22.2 glibc-devel-32bit-2.19-16.22.2 glibc-devel-debuginfo-2.19-16.22.2 glibc-devel-debuginfo-32bit-2.19-16.22.2 glibc-devel-static-2.19-16.22.2 glibc-devel-static-32bit-2.19-16.22.2 glibc-extra-2.19-16.22.2 glibc-extra-debuginfo-2.19-16.22.2 glibc-html-2.19-16.22.2 glibc-i18ndata-2.19-16.22.2 glibc-info-2.19-16.22.2 glibc-locale-2.19-16.22.2 glibc-locale-32bit-2.19-16.22.2 glibc-locale-debuginfo-2.19-16.22.2 glibc-locale-debuginfo-32bit-2.19-16.22.2 glibc-obsolete-2.19-16.22.2 glibc-obsolete-debuginfo-2.19-16.22.2 glibc-profile-2.19-16.22.2 glibc-profile-32bit-2.19-16.22.2 glibc-testsuite-2.19-16.22.4 glibc-utils-2.19-16.22.2 glibc-utils-32bit-2.19-16.22.2 glibc-utils-debuginfo-2.19-16.22.2 glibc-utils-debuginfo-32bit-2.19-16.22.2 glibc-utils-debugsource-2.19-16.22.2 nscd-2.19-16.22.2 nscd-debuginfo-2.19-16.22.2 glibc-2.19-16.22.2 as a component of openSUSE 13.2 glibc-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-debuginfo-2.19-16.22.2 as a component of openSUSE 13.2 glibc-debuginfo-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-debugsource-2.19-16.22.2 as a component of openSUSE 13.2 glibc-devel-2.19-16.22.2 as a component of openSUSE 13.2 glibc-devel-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-devel-debuginfo-2.19-16.22.2 as a component of openSUSE 13.2 glibc-devel-debuginfo-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-devel-static-2.19-16.22.2 as a component of openSUSE 13.2 glibc-devel-static-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-extra-2.19-16.22.2 as a component of openSUSE 13.2 glibc-extra-debuginfo-2.19-16.22.2 as a component of openSUSE 13.2 glibc-html-2.19-16.22.2 as a component of openSUSE 13.2 glibc-i18ndata-2.19-16.22.2 as a component of openSUSE 13.2 glibc-info-2.19-16.22.2 as a component of openSUSE 13.2 glibc-locale-2.19-16.22.2 as a component of openSUSE 13.2 glibc-locale-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-locale-debuginfo-2.19-16.22.2 as a component of openSUSE 13.2 glibc-locale-debuginfo-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-obsolete-2.19-16.22.2 as a component of openSUSE 13.2 glibc-obsolete-debuginfo-2.19-16.22.2 as a component of openSUSE 13.2 glibc-profile-2.19-16.22.2 as a component of openSUSE 13.2 glibc-profile-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-testsuite-2.19-16.22.4 as a component of openSUSE 13.2 glibc-utils-2.19-16.22.2 as a component of openSUSE 13.2 glibc-utils-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-utils-debuginfo-2.19-16.22.2 as a component of openSUSE 13.2 glibc-utils-debuginfo-32bit-2.19-16.22.2 as a component of openSUSE 13.2 glibc-utils-debugsource-2.19-16.22.2 as a component of openSUSE 13.2 nscd-2.19-16.22.2 as a component of openSUSE 13.2 nscd-debuginfo-2.19-16.22.2 as a component of openSUSE 13.2 Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function. CVE-2014-9761 openSUSE 13.2:glibc-2.19-16.22.2 openSUSE 13.2:glibc-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debugsource-2.19-16.22.2 openSUSE 13.2:glibc-devel-2.19-16.22.2 openSUSE 13.2:glibc-devel-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.22.2 openSUSE 13.2:glibc-extra-2.19-16.22.2 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-html-2.19-16.22.2 openSUSE 13.2:glibc-i18ndata-2.19-16.22.2 openSUSE 13.2:glibc-info-2.19-16.22.2 openSUSE 13.2:glibc-locale-2.19-16.22.2 openSUSE 13.2:glibc-locale-32bit-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-profile-2.19-16.22.2 openSUSE 13.2:glibc-profile-32bit-2.19-16.22.2 openSUSE 13.2:glibc-testsuite-2.19-16.22.4 openSUSE 13.2:glibc-utils-2.19-16.22.2 openSUSE 13.2:glibc-utils-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debugsource-2.19-16.22.2 openSUSE 13.2:nscd-2.19-16.22.2 openSUSE 13.2:nscd-debuginfo-2.19-16.22.2 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html https://www.suse.com/security/cve/CVE-2014-9761.html CVE-2014-9761 https://bugzilla.suse.com/962738 SUSE Bug 962738 https://bugzilla.suse.com/986086 SUSE Bug 986086 Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module. CVE-2015-7547 openSUSE 13.2:glibc-2.19-16.22.2 openSUSE 13.2:glibc-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debugsource-2.19-16.22.2 openSUSE 13.2:glibc-devel-2.19-16.22.2 openSUSE 13.2:glibc-devel-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.22.2 openSUSE 13.2:glibc-extra-2.19-16.22.2 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-html-2.19-16.22.2 openSUSE 13.2:glibc-i18ndata-2.19-16.22.2 openSUSE 13.2:glibc-info-2.19-16.22.2 openSUSE 13.2:glibc-locale-2.19-16.22.2 openSUSE 13.2:glibc-locale-32bit-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-profile-2.19-16.22.2 openSUSE 13.2:glibc-profile-32bit-2.19-16.22.2 openSUSE 13.2:glibc-testsuite-2.19-16.22.4 openSUSE 13.2:glibc-utils-2.19-16.22.2 openSUSE 13.2:glibc-utils-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debugsource-2.19-16.22.2 openSUSE 13.2:nscd-2.19-16.22.2 openSUSE 13.2:nscd-debuginfo-2.19-16.22.2 important 5.7 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html https://www.suse.com/security/cve/CVE-2015-7547.html CVE-2015-7547 https://bugzilla.suse.com/847227 SUSE Bug 847227 https://bugzilla.suse.com/961721 SUSE Bug 961721 https://bugzilla.suse.com/967023 SUSE Bug 967023 https://bugzilla.suse.com/967061 SUSE Bug 967061 https://bugzilla.suse.com/967072 SUSE Bug 967072 https://bugzilla.suse.com/967496 SUSE Bug 967496 https://bugzilla.suse.com/969216 SUSE Bug 969216 https://bugzilla.suse.com/969241 SUSE Bug 969241 https://bugzilla.suse.com/986086 SUSE Bug 986086 The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value. CVE-2015-8776 openSUSE 13.2:glibc-2.19-16.22.2 openSUSE 13.2:glibc-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debugsource-2.19-16.22.2 openSUSE 13.2:glibc-devel-2.19-16.22.2 openSUSE 13.2:glibc-devel-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.22.2 openSUSE 13.2:glibc-extra-2.19-16.22.2 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-html-2.19-16.22.2 openSUSE 13.2:glibc-i18ndata-2.19-16.22.2 openSUSE 13.2:glibc-info-2.19-16.22.2 openSUSE 13.2:glibc-locale-2.19-16.22.2 openSUSE 13.2:glibc-locale-32bit-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-profile-2.19-16.22.2 openSUSE 13.2:glibc-profile-32bit-2.19-16.22.2 openSUSE 13.2:glibc-testsuite-2.19-16.22.4 openSUSE 13.2:glibc-utils-2.19-16.22.2 openSUSE 13.2:glibc-utils-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debugsource-2.19-16.22.2 openSUSE 13.2:nscd-2.19-16.22.2 openSUSE 13.2:nscd-debuginfo-2.19-16.22.2 important 4.0 AV:N/AC:H/Au:N/C:P/I:N/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html https://www.suse.com/security/cve/CVE-2015-8776.html CVE-2015-8776 https://bugzilla.suse.com/962736 SUSE Bug 962736 https://bugzilla.suse.com/986086 SUSE Bug 986086 Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access. CVE-2015-8778 openSUSE 13.2:glibc-2.19-16.22.2 openSUSE 13.2:glibc-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debugsource-2.19-16.22.2 openSUSE 13.2:glibc-devel-2.19-16.22.2 openSUSE 13.2:glibc-devel-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.22.2 openSUSE 13.2:glibc-extra-2.19-16.22.2 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-html-2.19-16.22.2 openSUSE 13.2:glibc-i18ndata-2.19-16.22.2 openSUSE 13.2:glibc-info-2.19-16.22.2 openSUSE 13.2:glibc-locale-2.19-16.22.2 openSUSE 13.2:glibc-locale-32bit-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-profile-2.19-16.22.2 openSUSE 13.2:glibc-profile-32bit-2.19-16.22.2 openSUSE 13.2:glibc-testsuite-2.19-16.22.4 openSUSE 13.2:glibc-utils-2.19-16.22.2 openSUSE 13.2:glibc-utils-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debugsource-2.19-16.22.2 openSUSE 13.2:nscd-2.19-16.22.2 openSUSE 13.2:nscd-debuginfo-2.19-16.22.2 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html https://www.suse.com/security/cve/CVE-2015-8778.html CVE-2015-8778 https://bugzilla.suse.com/962737 SUSE Bug 962737 https://bugzilla.suse.com/986086 SUSE Bug 986086 Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name. CVE-2015-8779 openSUSE 13.2:glibc-2.19-16.22.2 openSUSE 13.2:glibc-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-debugsource-2.19-16.22.2 openSUSE 13.2:glibc-devel-2.19-16.22.2 openSUSE 13.2:glibc-devel-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-devel-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-2.19-16.22.2 openSUSE 13.2:glibc-devel-static-32bit-2.19-16.22.2 openSUSE 13.2:glibc-extra-2.19-16.22.2 openSUSE 13.2:glibc-extra-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-html-2.19-16.22.2 openSUSE 13.2:glibc-i18ndata-2.19-16.22.2 openSUSE 13.2:glibc-info-2.19-16.22.2 openSUSE 13.2:glibc-locale-2.19-16.22.2 openSUSE 13.2:glibc-locale-32bit-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-locale-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-2.19-16.22.2 openSUSE 13.2:glibc-obsolete-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-profile-2.19-16.22.2 openSUSE 13.2:glibc-profile-32bit-2.19-16.22.2 openSUSE 13.2:glibc-testsuite-2.19-16.22.4 openSUSE 13.2:glibc-utils-2.19-16.22.2 openSUSE 13.2:glibc-utils-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-2.19-16.22.2 openSUSE 13.2:glibc-utils-debuginfo-32bit-2.19-16.22.2 openSUSE 13.2:glibc-utils-debugsource-2.19-16.22.2 openSUSE 13.2:nscd-2.19-16.22.2 openSUSE 13.2:nscd-debuginfo-2.19-16.22.2 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html https://www.suse.com/security/cve/CVE-2015-8779.html CVE-2015-8779 https://bugzilla.suse.com/962739 SUSE Bug 962739 https://bugzilla.suse.com/965453 SUSE Bug 965453 https://bugzilla.suse.com/986086 SUSE Bug 986086