From security@linux-mandrake.com Wed Nov 19 03:30:26 2003 From: Mandrake Linux Security Team To: full-disclosure@lists.netsys.com Date: 19 Nov 2003 04:56:40 -0000 Subject: [Full-Disclosure] MDKSA-2003:107 - Updated glibc packagess fix vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrake Linux Security Update Advisory _______________________________________________________________________ Package name: glibc Advisory ID: MDKSA-2003:107 Date: November 18th, 2003 Affected versions: 9.0, 9.1, Corporate Server 2.1, Multi Network Firewall 8.2 ______________________________________________________________________ Problem Description: A bug was discovered in the getgrouplist function in glibc that can cause a buffer overflow if the size of the group list is too small to hold all the user's groups. This overflow can cause segementation faults in various user applications, some of which may lead to additional security problems. The problem can only be triggered if the user is in a larger number of groups than expected by an application. The provided packages are patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0689 ______________________________________________________________________ Updated Packages: Corporate Server 2.1: a75afbeab6bb0af8312606a5206b649f corporate/2.1/RPMS/glibc-2.2.5-16.3.C21mdk.i586.rpm 0728825f51c3bbdd93c8f2573927c035 corporate/2.1/RPMS/glibc-devel-2.2.5-16.3.C21mdk.i586.rpm cb76d0a10f88a3194023065888e16a9e corporate/2.1/RPMS/glibc-i18ndata-2.2.5-16.3.C21mdk.i586.rpm 904f109cf66575c2eaa8e15a6f1ddee1 corporate/2.1/RPMS/glibc-profile-2.2.5-16.3.C21mdk.i586.rpm 007307c4d8a271f72a97fc97f7303ff5 corporate/2.1/RPMS/glibc-static-devel-2.2.5-16.3.C21mdk.i586.rpm 4c8a57e8fdc3acefb8daa6eeda23ba70 corporate/2.1/RPMS/glibc-utils-2.2.5-16.3.C21mdk.i586.rpm 76efd47f25ba60c9bbc567668a38e4ff corporate/2.1/RPMS/ldconfig-2.2.5-16.3.C21mdk.i586.rpm efd517e924eb066acd0856bb476f87af corporate/2.1/RPMS/nscd-2.2.5-16.3.C21mdk.i586.rpm 7c062ed74887835eba2f1a50a265b8c9 corporate/2.1/RPMS/timezone-2.2.5-16.3.C21mdk.i586.rpm 61f2d1b5fe0bc03cb0af9ef086c667bb corporate/2.1/SRPMS/glibc-2.2.5-16.3.C21mdk.src.rpm Corporate Server 2.1/x86_64: 5aae39182bab1d726180953a7cd8d792 x86_64/corporate/2.1/RPMS/glibc-2.2.5-28.1.C21mdk.x86_64.rpm d3486ac35ba3d078e737be31113475f0 x86_64/corporate/2.1/RPMS/glibc-debug-2.2.5-28.1.C21mdk.x86_64.rpm 939043df28c991d7b37b33fef3d0feb2 x86_64/corporate/2.1/RPMS/glibc-devel-2.2.5-28.1.C21mdk.x86_64.rpm c1b184cb452e4d60f268a4fc5f48e174 x86_64/corporate/2.1/RPMS/glibc-i18ndata-2.2.5-28.1.C21mdk.x86_64.rpm f2777101e2778fe7de39673220d7a069 x86_64/corporate/2.1/RPMS/glibc-profile-2.2.5-28.1.C21mdk.x86_64.rpm b2d191df43537f5f8e2e100b1de072ed x86_64/corporate/2.1/RPMS/glibc-static-devel-2.2.5-28.1.C21mdk.x86_64.rpm 083d9e44ce870e0d0ba2cea4c67963ec x86_64/corporate/2.1/RPMS/glibc-utils-2.2.5-28.1.C21mdk.x86_64.rpm 0e6f3655b336442eb80847d1e2be858a x86_64/corporate/2.1/RPMS/ldconfig-2.2.5-28.1.C21mdk.x86_64.rpm 059c6093ad5916e48a8786211a7ece0a x86_64/corporate/2.1/RPMS/nscd-2.2.5-28.1.C21mdk.x86_64.rpm e0a23600cbd0ceb7a44fd4e275b4f454 x86_64/corporate/2.1/RPMS/timezone-2.2.5-28.1.C21mdk.x86_64.rpm c4de027516cfb1c943656f3876c89c44 x86_64/corporate/2.1/SRPMS/glibc-2.2.5-28.1.C21mdk.src.rpm Mandrake Linux 9.0: e64b4f099e7cd715c5ff1fc895101821 9.0/RPMS/glibc-2.2.5-16.3.90mdk.i586.rpm 48a4f54fc49c39306a002633ae4495af 9.0/RPMS/glibc-devel-2.2.5-16.3.90mdk.i586.rpm 9db7115962de7c0680ce0de12ea1955c 9.0/RPMS/glibc-i18ndata-2.2.5-16.3.90mdk.i586.rpm c5fed843eb910c860e3af39e6583e3bb 9.0/RPMS/glibc-profile-2.2.5-16.3.90mdk.i586.rpm 2608fa069dfd563541f018742310d7b0 9.0/RPMS/glibc-static-devel-2.2.5-16.3.90mdk.i586.rpm 101574c95eeb7e8849f9ef0010afdec4 9.0/RPMS/glibc-utils-2.2.5-16.3.90mdk.i586.rpm 9c809b34abce979ef8cc2dea06a4b025 9.0/RPMS/ldconfig-2.2.5-16.3.90mdk.i586.rpm 2b04e51c90b79235ccfe673b123fbb9c 9.0/RPMS/nscd-2.2.5-16.3.90mdk.i586.rpm 386ac1d7f745c8deb1d3346cf86f7b51 9.0/RPMS/timezone-2.2.5-16.3.90mdk.i586.rpm 434a57fb27d0d12337bc579eaf89d1db 9.0/SRPMS/glibc-2.2.5-16.3.90mdk.src.rpm Mandrake Linux 9.1: 14b04c0c5abfcdeeb7ddcd99dff6f59c 9.1/RPMS/glibc-2.3.1-10.1.91mdk.i586.rpm db0399ed5e4e5932ccd68eb1d971e918 9.1/RPMS/glibc-debug-2.3.1-10.1.91mdk.i586.rpm 55e698783b2f00d56e74a6a0295ddc65 9.1/RPMS/glibc-devel-2.3.1-10.1.91mdk.i586.rpm 8d794fa39d989aff297eecddf8f3a89a 9.1/RPMS/glibc-i18ndata-2.3.1-10.1.91mdk.i586.rpm 28000c25d34f6b6136092840825009a8 9.1/RPMS/glibc-profile-2.3.1-10.1.91mdk.i586.rpm 2fd232922ed61aba14ca2da29948bfa5 9.1/RPMS/glibc-static-devel-2.3.1-10.1.91mdk.i586.rpm 93c16beb43e79147b89d89dc080dcc3c 9.1/RPMS/glibc-utils-2.3.1-10.1.91mdk.i586.rpm dde039c956d163bfd0d58729765acc0d 9.1/RPMS/ldconfig-2.3.1-10.1.91mdk.i586.rpm c4a00854f69004fdc8875ceae2a23cab 9.1/RPMS/nscd-2.3.1-10.1.91mdk.i586.rpm e8f5a1eddced3c8e63d2a00236468a0a 9.1/RPMS/timezone-2.3.1-10.1.91mdk.i586.rpm 6c7aa1aae0bc39f4211a3d0d1b9b79fa 9.1/SRPMS/glibc-2.3.1-10.1.91mdk.src.rpm Mandrake Linux 9.1/PPC: bdacbfff4264a72f3106bd323597d668 ppc/9.1/RPMS/glibc-2.3.1-10.1.91mdk.ppc.rpm 1b3c15be2106be26ed3532a372f68e27 ppc/9.1/RPMS/glibc-debug-2.3.1-10.1.91mdk.ppc.rpm 5e08d596df7113323ae399c04328c091 ppc/9.1/RPMS/glibc-devel-2.3.1-10.1.91mdk.ppc.rpm 4a763d9d65729ae8523b3991561d8cdb ppc/9.1/RPMS/glibc-i18ndata-2.3.1-10.1.91mdk.ppc.rpm 5b856ef8b4e1fcba7b6ea4a04c158e87 ppc/9.1/RPMS/glibc-profile-2.3.1-10.1.91mdk.ppc.rpm 0f51825ee3c18bcb2feb3a8dd2739f46 ppc/9.1/RPMS/glibc-static-devel-2.3.1-10.1.91mdk.ppc.rpm 111efa86d73c156110a31eaa6bbe9f02 ppc/9.1/RPMS/glibc-utils-2.3.1-10.1.91mdk.ppc.rpm 0cfa1714f9ef4e1c62498d08ee5b3042 ppc/9.1/RPMS/ldconfig-2.3.1-10.1.91mdk.ppc.rpm c961c16bc6eef858083f6e42d5f875c1 ppc/9.1/RPMS/nscd-2.3.1-10.1.91mdk.ppc.rpm ea602b9406296fc2f198167924ab35cf ppc/9.1/RPMS/timezone-2.3.1-10.1.91mdk.ppc.rpm 6c7aa1aae0bc39f4211a3d0d1b9b79fa ppc/9.1/SRPMS/glibc-2.3.1-10.1.91mdk.src.rpm Multi Network Firewall 8.2: 058bc1cc39d9af370e6334de4d5ca892 mnf8.2/RPMS/glibc-2.2.4-26.3.M82mdk.i586.rpm b8feb768e9825ed998b46b90094543fd mnf8.2/RPMS/ldconfig-2.2.4-26.3.M82mdk.i586.rpm be3a063c275d0240395b433aef3a7ea4 mnf8.2/SRPMS/glibc-2.2.4-26.3.M82mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/uvgImqjQ0CJFipgRAtiGAJwPfnSelVLECYrDYKCOjtZIfORzvgCfctxx 0h5uimjEFIZdZd01HpsMjYk= =aMES -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html