[Bug 1031301] Re: Exploit for unpatched CVE reported in wild.
Launchpad Bug Tracker
1031301 at bugs.launchpad.net
Tue Oct 2 04:15:14 UTC 2012
This bug was fixed in the package eglibc - 2.11.1-0ubuntu7.11
---------------
eglibc (2.11.1-0ubuntu7.11) lucid-security; urgency=low
* SECURITY UPDATE: buffer overflow in vfprintf handling
- debian/patches/any/CVE-2012-3404.patch: Fix allocation when
handling positional parameters in printf.
- CVE-2012-3404
* SECURITY UPDATE: buffer overflow in vfprintf handling
- debian/patches/any/CVE-2012-3405.patch: fix extension of array
- CVE-2012-3405
* SECURITY UPDATE: stack buffer overflow in vfprintf handling
(LP: #1031301)
- debian/patches/any/CVE-2012-3406.patch: switch to malloc when
array grows too large to handle via alloca extension
- CVE-2012-3406
* SECURITY UPDATE: stdlib strtod integer/buffer overflows
- debian/patches/any/CVE-2012-3480.patch: rearrange calculations
and modify types to void integer overflows
- CVE-2012-3480
* debian/patches/any/strtod_overflow_bug7066.patch: Fix array
overflow in floating point parser triggered by applying patch for
CVE-2012-3480
* debian/testsuite-checking/expected-results-x86_64-linux-gnu-libc,
debian/testsuite-checking/expected-results-i486-linux-gnu-libc,
debian/testsuite-checking/expected-results-i686-linux-gnu-i386,
debian/testsuite-checking/expected-results-i686-linux-gnu-i686,
debian/testsuite-checking/expected-results-i686-linux-gnu-xen,
debian/testsuite-checking/expected-results-sparc64-linux-gnu-sparc64:
update for pre-existing testsuite failures that prevents FTBFS
when the testsuite is enabled.
-- Steve Beattie <sbeattie at ubuntu.com> Fri, 28 Sep 2012 23:48:21 -0700
** Changed in: eglibc (Ubuntu)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3480
** Changed in: glibc (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1031301
Title:
Exploit for unpatched CVE reported in wild.
Status in “eglibc” package in Ubuntu:
Fix Released
Status in “glibc” package in Ubuntu:
Fix Released
Bug description:
CVEs are as follows:
CVE-2012-3404
CVE-2012-3405
CVE-2012-3406
lsb_release -rd
Description: Ubuntu 10.04.3 LTS
Release: 10.04
Package: libc6 (2.11.1-0ubuntu7.10)
Details of the bugs are here upstream:
http://www.openwall.com/lists/oss-security/2012/07/11/17
We received reports from a colleague at another University that they
have suffered a root compromise as a result of one of these CVEs,
which I notice do not appear to be fixed yet in Ubuntu. They are
running Scientific Linux 6 rather than Ubuntu, so can't be directly
compared
Debian appear to have fixes out for 2 of the 3 CVEs
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681473
They considered the security risk low, but I have reports of exploits
in the wild.
The details I have so far from my colleague are as follows:
09:49 < DaveAG> Was it RHSA-2012:1098-1 you reckon bit you?
09:49 < colleague> erm, one of CVE-2012-3404, CVE-2012-3405, CVE-2012-3406
09:49 < colleague> I don't have an RHSA number to hand since this is SL
09:50 < DaveAG> Yeah, that RHSA lists those 3 CVEs
09:51 < colleague> Announced on the 18th July, we got done on 26th, that's scarily quick
09:52 < colleague> There must be an exploit specifically related to use of /bin/mount
09:53 < colleague> Lovely that with auditd running we immediately were able to spot which suid had been used to get root
09:53 < colleague> and the lack of command line arguments to the command meant it had to be done using the environment to change the way the output was formatted
09:57 < colleague> oh, and blocking the loading of kernel modules helped a lot
09:57 < colleague> It forced the attacker into trying something much more difficult which crashed the kernel.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1031301/+subscriptions
More information about the foundations-bugs
mailing list