[Buildroot] [PATCH 5/5] package/glibc: bump to 2.27
Peter Korsgaard
peter at korsgaard.com
Tue Feb 6 14:41:47 UTC 2018
>>>>> "Baruch" == Baruch Siach <baruch at tkos.co.il> writes:
Hi,
>> Possibly, yes. Lets see how much blows up on next. Do you know if (some
>> of) these issues are also fixed on the 2.26 branch?
> As far as I know all these issues are fixed in the 2.26 stable branch. See the
> NEWS file in that branch.
Ok, but only when we bump to the latest version on the 2.26 branch
- E.G.:
git diff 73a92363619e52c458146e903dfb9b1ba823aa40.. -- NEWS
CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
to the allocation of too much memory. (This is not a security bug per se,
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
of the number of search path components. (This is not a security
vulnerability per se because no trust boundary is crossed if the fix for
CVE-2017-1000366 has been applied, but it is mentioned here only because
of the CVE assignment.) Reported by Qualys.
CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
for AT_SECURE or SUID binaries could be used to load libraries from the
current directory.
CVE-2018-1000001: Buffer underflow in realpath function when getcwd function
succeeds without returning an absolute path due to unexpected behaviour
of the Linux kernel getcwd syscall. Reported by halfdog.
I don't see any reference to CVE-2018-6485 though.
I'll send a patch to bump the version.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list