| Description: | The glibc packages provide the standard C libraries (libc), POSIX threadlibraries (libpthread), standard math libraries (libm), and the NameServer Caching Daemon (nscd) used by multiple programs on the system.Without these libraries, the Linux system cannot function correctly.An out-of-bounds write flaw was found in the way the glibc's readdir_r()function handled file system entries longer than the NAME_MAX characterconstant. A remote attacker could provide a specially crafted NTFS or CIFSfile system that, when processed by an application using readdir_r(), wouldcause that application to crash or, potentially, allow the attacker toexecute arbitrary code with the privileges of the user running theapplication. (CVE-2013-4237)It was found that getaddrinfo() did not limit the amount of stack memoryused during name resolution. An attacker able to make an applicationresolve an attacker-controlled hostname or IP address could possibly causethe application to exhaust all stack memory and crash. (CVE-2013-4458)These updated glibc packages also include several bug fixes and twoenhancements. Space precludes documenting all of these changes in thisadvisory. Users are directed to the Red Hat Enterprise Linux 6.6 TechnicalNotes, linked to in the References section, for information on the mostsignificant of these changes.All glibc users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues and add theseenhancements. |