OESA-2024-1593

The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more.

Security Fix(es):

nscd: Stack-based buffer overflow in netgroup cache

If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary. (CVE-2024-33599)

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

(CVE-2024-33600)

nscd: netgroup cache may terminate daemon on memory allocation failure

The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

(CVE-2024-33601)

nscd: netgroup cache assumes NSS callback uses in-buffer strings

The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

(CVE-2024-33602)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / glibc

Package

Name: glibc
Purl: pkg:rpm/openEuler/glibc&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.28-101.oe1

Ecosystem specific

{
    "src": [
        "glibc-2.28-101.oe1.src.rpm"
    ],
    "x86_64": [
        "glibc-all-langpacks-2.28-101.oe1.x86_64.rpm",
        "nss_modules-2.28-101.oe1.x86_64.rpm",
        "glibc-nss-devel-2.28-101.oe1.x86_64.rpm",
        "libnsl-2.28-101.oe1.x86_64.rpm",
        "nscd-2.28-101.oe1.x86_64.rpm",
        "glibc-locale-source-2.28-101.oe1.x86_64.rpm",
        "glibc-common-2.28-101.oe1.x86_64.rpm",
        "glibc-benchtests-2.28-101.oe1.x86_64.rpm",
        "glibc-compat-2.17-2.28-101.oe1.x86_64.rpm",
        "glibc-2.28-101.oe1.x86_64.rpm",
        "glibc-devel-2.28-101.oe1.x86_64.rpm",
        "glibc-debuginfo-2.28-101.oe1.x86_64.rpm",
        "glibc-debugutils-2.28-101.oe1.x86_64.rpm",
        "glibc-debugsource-2.28-101.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "nss_modules-2.28-101.oe1.aarch64.rpm",
        "glibc-nss-devel-2.28-101.oe1.aarch64.rpm",
        "glibc-benchtests-2.28-101.oe1.aarch64.rpm",
        "glibc-debuginfo-2.28-101.oe1.aarch64.rpm",
        "glibc-2.28-101.oe1.aarch64.rpm",
        "glibc-compat-2.17-2.28-101.oe1.aarch64.rpm",
        "libnsl-2.28-101.oe1.aarch64.rpm",
        "glibc-locale-source-2.28-101.oe1.aarch64.rpm",
        "glibc-debugsource-2.28-101.oe1.aarch64.rpm",
        "glibc-debugutils-2.28-101.oe1.aarch64.rpm",
        "nscd-2.28-101.oe1.aarch64.rpm",
        "glibc-all-langpacks-2.28-101.oe1.aarch64.rpm",
        "glibc-devel-2.28-101.oe1.aarch64.rpm",
        "glibc-common-2.28-101.oe1.aarch64.rpm"
    ],
    "noarch": [
        "glibc-help-2.28-101.oe1.noarch.rpm"
    ]
}