glibc-2.34-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10792 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z glibc-2.34-1.2 on GA media These are all security issues fixed in the glibc-2.34-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10792 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10792 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-5064/ SUSE CVE CVE-2009-5064 page https://www.suse.com/security/cve/CVE-2009-5155/ SUSE CVE CVE-2009-5155 page https://www.suse.com/security/cve/CVE-2010-3192/ SUSE CVE CVE-2010-3192 page https://www.suse.com/security/cve/CVE-2015-5180/ SUSE CVE CVE-2015-5180 page https://www.suse.com/security/cve/CVE-2016-10228/ SUSE CVE CVE-2016-10228 page https://www.suse.com/security/cve/CVE-2016-10739/ SUSE CVE CVE-2016-10739 page https://www.suse.com/security/cve/CVE-2016-6261/ SUSE CVE CVE-2016-6261 page https://www.suse.com/security/cve/CVE-2016-6323/ SUSE CVE CVE-2016-6323 page https://www.suse.com/security/cve/CVE-2017-1000366/ SUSE CVE CVE-2017-1000366 page https://www.suse.com/security/cve/CVE-2017-1000408/ SUSE CVE CVE-2017-1000408 page https://www.suse.com/security/cve/CVE-2017-12132/ SUSE CVE CVE-2017-12132 page https://www.suse.com/security/cve/CVE-2017-12133/ SUSE CVE CVE-2017-12133 page https://www.suse.com/security/cve/CVE-2017-15670/ SUSE CVE CVE-2017-15670 page https://www.suse.com/security/cve/CVE-2017-16997/ SUSE CVE CVE-2017-16997 page https://www.suse.com/security/cve/CVE-2017-17426/ SUSE CVE CVE-2017-17426 page https://www.suse.com/security/cve/CVE-2017-18269/ SUSE CVE CVE-2017-18269 page https://www.suse.com/security/cve/CVE-2018-1000001/ SUSE CVE CVE-2018-1000001 page https://www.suse.com/security/cve/CVE-2018-11236/ SUSE CVE CVE-2018-11236 page https://www.suse.com/security/cve/CVE-2018-11237/ SUSE CVE CVE-2018-11237 page https://www.suse.com/security/cve/CVE-2018-19591/ SUSE CVE CVE-2018-19591 page https://www.suse.com/security/cve/CVE-2018-6485/ SUSE CVE CVE-2018-6485 page https://www.suse.com/security/cve/CVE-2019-19126/ SUSE CVE CVE-2019-19126 page https://www.suse.com/security/cve/CVE-2019-25013/ SUSE CVE CVE-2019-25013 page https://www.suse.com/security/cve/CVE-2019-7309/ SUSE CVE CVE-2019-7309 page https://www.suse.com/security/cve/CVE-2019-9169/ SUSE CVE CVE-2019-9169 page https://www.suse.com/security/cve/CVE-2020-10029/ SUSE CVE CVE-2020-10029 page https://www.suse.com/security/cve/CVE-2020-1752/ SUSE CVE CVE-2020-1752 page https://www.suse.com/security/cve/CVE-2020-27618/ SUSE CVE CVE-2020-27618 page https://www.suse.com/security/cve/CVE-2020-29562/ SUSE CVE CVE-2020-29562 page https://www.suse.com/security/cve/CVE-2020-29573/ SUSE CVE CVE-2020-29573 page https://www.suse.com/security/cve/CVE-2020-6096/ SUSE CVE CVE-2020-6096 page https://www.suse.com/security/cve/CVE-2021-27645/ SUSE CVE CVE-2021-27645 page https://www.suse.com/security/cve/CVE-2021-3326/ SUSE CVE CVE-2021-3326 page https://www.suse.com/security/cve/CVE-2021-33574/ SUSE CVE CVE-2021-33574 page openSUSE Tumbleweed glibc-2.34-1.2 glibc-devel-2.34-1.2 glibc-devel-static-2.34-1.2 glibc-extra-2.34-1.2 glibc-html-2.34-1.2 glibc-i18ndata-2.34-1.2 glibc-info-2.34-1.2 glibc-lang-2.34-1.2 glibc-locale-2.34-1.2 glibc-locale-base-2.34-1.2 glibc-profile-2.34-1.2 nscd-2.34-1.2 glibc-2.34-1.2 as a component of openSUSE Tumbleweed glibc-devel-2.34-1.2 as a component of openSUSE Tumbleweed glibc-devel-static-2.34-1.2 as a component of openSUSE Tumbleweed glibc-extra-2.34-1.2 as a component of openSUSE Tumbleweed glibc-html-2.34-1.2 as a component of openSUSE Tumbleweed glibc-i18ndata-2.34-1.2 as a component of openSUSE Tumbleweed glibc-info-2.34-1.2 as a component of openSUSE Tumbleweed glibc-lang-2.34-1.2 as a component of openSUSE Tumbleweed glibc-locale-2.34-1.2 as a component of openSUSE Tumbleweed glibc-locale-base-2.34-1.2 as a component of openSUSE Tumbleweed glibc-profile-2.34-1.2 as a component of openSUSE Tumbleweed nscd-2.34-1.2 as a component of openSUSE Tumbleweed ** DISPUTED ** ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states "This is just nonsense. There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc." CVE-2009-5064 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-5064.html CVE-2009-5064 https://bugzilla.suse.com/677787 SUSE Bug 677787 https://bugzilla.suse.com/684385 SUSE Bug 684385 In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. CVE-2009-5155 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-5155.html CVE-2009-5155 https://bugzilla.suse.com/1127223 SUSE Bug 1127223 Certain run-time memory protection mechanisms in the GNU C Library (aka glibc or libc6) print argv[0] and backtrace information, which might allow context-dependent attackers to obtain sensitive information from process memory by executing an incorrect program, as demonstrated by a setuid program that contains a stack-based buffer overflow error, related to the __fortify_fail function in debug/fortify_fail.c, and the __stack_chk_fail (aka stack protection) and __chk_fail (aka FORTIFY_SOURCE) implementations. CVE-2010-3192 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-3192.html CVE-2010-3192 https://bugzilla.suse.com/636113 SUSE Bug 636113 res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash). CVE-2015-5180 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate 1.2 AV:L/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5180.html CVE-2015-5180 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 https://bugzilla.suse.com/1215582 SUSE Bug 1215582 https://bugzilla.suse.com/941234 SUSE Bug 941234 The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. CVE-2016-10228 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10228.html CVE-2016-10228 https://bugzilla.suse.com/1027496 SUSE Bug 1027496 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. CVE-2016-10739 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10739.html CVE-2016-10739 https://bugzilla.suse.com/1122729 SUSE Bug 1122729 https://bugzilla.suse.com/1155094 SUSE Bug 1155094 The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input. CVE-2016-6261 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6261.html CVE-2016-6261 https://bugzilla.suse.com/1118435 SUSE Bug 1118435 https://bugzilla.suse.com/1173590 SUSE Bug 1173590 https://bugzilla.suse.com/990190 SUSE Bug 990190 The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. CVE-2016-6323 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate 1.5 AV:L/AC:M/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6323.html CVE-2016-6323 https://bugzilla.suse.com/994359 SUSE Bug 994359 glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. CVE-2017-1000366 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000366.html CVE-2017-1000366 https://bugzilla.suse.com/1037551 SUSE Bug 1037551 https://bugzilla.suse.com/1039357 SUSE Bug 1039357 https://bugzilla.suse.com/1063847 SUSE Bug 1063847 https://bugzilla.suse.com/1071319 SUSE Bug 1071319 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366. CVE-2017-1000408 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000408.html CVE-2017-1000408 https://bugzilla.suse.com/1039357 SUSE Bug 1039357 https://bugzilla.suse.com/1071319 SUSE Bug 1071319 The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. CVE-2017-12132 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12132.html CVE-2017-12132 https://bugzilla.suse.com/1051791 SUSE Bug 1051791 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path. CVE-2017-12133 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12133.html CVE-2017-12133 https://bugzilla.suse.com/1081556 SUSE Bug 1081556 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 https://bugzilla.suse.com/980854 SUSE Bug 980854 The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. CVE-2017-15670 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15670.html CVE-2017-15670 https://bugzilla.suse.com/1064583 SUSE Bug 1064583 https://bugzilla.suse.com/1110160 SUSE Bug 1110160 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution. CVE-2017-16997 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16997.html CVE-2017-16997 https://bugzilla.suse.com/1073231 SUSE Bug 1073231 The malloc function in the GNU C Library (aka glibc or libc6) 2.26 could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, potentially leading to a subsequent heap overflow. This occurs because the per-thread cache (aka tcache) feature enables a code path that lacks an integer overflow check. CVE-2017-17426 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-17426.html CVE-2017-17426 https://bugzilla.suse.com/1071479 SUSE Bug 1071479 An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution. CVE-2017-18269 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-18269.html CVE-2017-18269 https://bugzilla.suse.com/1094150 SUSE Bug 1094150 https://bugzilla.suse.com/1118435 SUSE Bug 1118435 In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. CVE-2018-1000001 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000001.html CVE-2018-1000001 https://bugzilla.suse.com/1074293 SUSE Bug 1074293 https://bugzilla.suse.com/1099047 SUSE Bug 1099047 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. CVE-2018-11236 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11236.html CVE-2018-11236 https://bugzilla.suse.com/1094161 SUSE Bug 1094161 https://bugzilla.suse.com/1110160 SUSE Bug 1110160 https://bugzilla.suse.com/1118435 SUSE Bug 1118435 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper. CVE-2018-11237 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11237.html CVE-2018-11237 https://bugzilla.suse.com/1092877 SUSE Bug 1092877 https://bugzilla.suse.com/1094154 SUSE Bug 1094154 https://bugzilla.suse.com/1118435 SUSE Bug 1118435 In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function. CVE-2018-19591 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19591.html CVE-2018-19591 https://bugzilla.suse.com/1117603 SUSE Bug 1117603 An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. CVE-2018-6485 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-6485.html CVE-2018-6485 https://bugzilla.suse.com/1079036 SUSE Bug 1079036 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. CVE-2019-19126 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19126.html CVE-2019-19126 https://bugzilla.suse.com/1157292 SUSE Bug 1157292 The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. CVE-2019-25013 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-25013.html CVE-2019-25013 https://bugzilla.suse.com/1182117 SUSE Bug 1182117 https://bugzilla.suse.com/1220988 SUSE Bug 1220988 In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled. CVE-2019-7309 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-7309.html CVE-2019-7309 https://bugzilla.suse.com/1124100 SUSE Bug 1124100 In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. CVE-2019-9169 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9169.html CVE-2019-9169 https://bugzilla.suse.com/1127308 SUSE Bug 1127308 https://bugzilla.suse.com/1146392 SUSE Bug 1146392 The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. CVE-2020-10029 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10029.html CVE-2020-10029 https://bugzilla.suse.com/1165784 SUSE Bug 1165784 A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32. CVE-2020-1752 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-1752.html CVE-2020-1752 https://bugzilla.suse.com/1167631 SUSE Bug 1167631 The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. CVE-2020-27618 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-27618.html CVE-2020-27618 https://bugzilla.suse.com/1178386 SUSE Bug 1178386 https://bugzilla.suse.com/1220988 SUSE Bug 1220988 The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. CVE-2020-29562 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-29562.html CVE-2020-29562 https://bugzilla.suse.com/1179694 SUSE Bug 1179694 https://bugzilla.suse.com/1220988 SUSE Bug 1220988 sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of "Fixed for glibc 2.33" in the 26649 reference. CVE-2020-29573 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-29573.html CVE-2020-29573 https://bugzilla.suse.com/1179721 SUSE Bug 1179721 https://bugzilla.suse.com/1220988 SUSE Bug 1220988 An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. CVE-2020-6096 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-6096.html CVE-2020-6096 https://bugzilla.suse.com/1168425 SUSE Bug 1168425 The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c. CVE-2021-27645 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-27645.html CVE-2021-27645 https://bugzilla.suse.com/1182733 SUSE Bug 1182733 The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. CVE-2021-3326 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3326.html CVE-2021-3326 https://bugzilla.suse.com/1181505 SUSE Bug 1181505 https://bugzilla.suse.com/1212283 SUSE Bug 1212283 https://bugzilla.suse.com/1220988 SUSE Bug 1220988 The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. CVE-2021-33574 openSUSE Tumbleweed:glibc-2.34-1.2 openSUSE Tumbleweed:glibc-devel-2.34-1.2 openSUSE Tumbleweed:glibc-devel-static-2.34-1.2 openSUSE Tumbleweed:glibc-extra-2.34-1.2 openSUSE Tumbleweed:glibc-html-2.34-1.2 openSUSE Tumbleweed:glibc-i18ndata-2.34-1.2 openSUSE Tumbleweed:glibc-info-2.34-1.2 openSUSE Tumbleweed:glibc-lang-2.34-1.2 openSUSE Tumbleweed:glibc-locale-2.34-1.2 openSUSE Tumbleweed:glibc-locale-base-2.34-1.2 openSUSE Tumbleweed:glibc-profile-2.34-1.2 openSUSE Tumbleweed:nscd-2.34-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-33574.html CVE-2021-33574 https://bugzilla.suse.com/1186489 SUSE Bug 1186489 https://bugzilla.suse.com/1189426 SUSE Bug 1189426 https://bugzilla.suse.com/1192788 SUSE Bug 1192788 https://bugzilla.suse.com/1196766 SUSE Bug 1196766