SUSE update for glibc
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2019-25013 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2021-3326 |
| CWE-ID | CWE-125 CWE-835 CWE-617 CWE-787 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE Operating systems & Components / Operating system SUSE Linux Enterprise Server 11 Operating systems & Components / Operating system glibc-devel-32bit Operating systems & Components / Operating system package or component glibc-locale-32bit Operating systems & Components / Operating system package or component glibc-32bit Operating systems & Components / Operating system package or component glibc-debuginfo Operating systems & Components / Operating system package or component glibc-profile-32bit Operating systems & Components / Operating system package or component glibc-debugsource Operating systems & Components / Operating system package or component glibc-debuginfo-32bit Operating systems & Components / Operating system package or component glibc-devel Operating systems & Components / Operating system package or component nscd Operating systems & Components / Operating system package or component glibc Operating systems & Components / Operating system package or component glibc-profile Operating systems & Components / Operating system package or component glibc-i18ndata Operating systems & Components / Operating system package or component glibc-html Operating systems & Components / Operating system package or component glibc-locale Operating systems & Components / Operating system package or component glibc-info Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU50329
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-25013
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in GNU C Library within the iconv feature when processing multi-byte input sequences in the EUC-KR encoding. A remote attacker can pass specially crafted input to the application, trigger out-of-bounds read error and perform a denial of service (DoS) attack.
MitigationUpdate the affected package glibc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
glibc-devel-32bit: before 2.11.3-17.110.43.1
glibc-locale-32bit: before 2.11.3-17.110.43.1
glibc-32bit: before 2.11.3-17.110.43.1
glibc-debuginfo: before 2.11.3-17.110.43.1
glibc-profile-32bit: before 2.11.3-17.110.43.1
glibc-debugsource: before 2.11.3-17.110.43.1
glibc-debuginfo-32bit: before 2.11.3-17.110.43.1
glibc-devel: before 2.11.3-17.110.43.1
nscd: before 2.11.3-17.110.43.1
glibc: before 2.11.3-17.110.43.1
glibc-profile: before 2.11.3-17.110.43.1
glibc-i18ndata: before 2.11.3-17.110.43.1
glibc-html: before 2.11.3-17.110.43.1
glibc-locale: before 2.11.3-17.110.43.1
glibc-info: before 2.11.3-17.110.43.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glibc-devel-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-i18ndata:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-html:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-info:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Infinite loop
EUVDB-ID: #VU50404
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-27618
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within iconv implementation when processing multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings. A remote attacker can pass specially crafted data to the application, consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected package glibc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
glibc-devel-32bit: before 2.11.3-17.110.43.1
glibc-locale-32bit: before 2.11.3-17.110.43.1
glibc-32bit: before 2.11.3-17.110.43.1
glibc-debuginfo: before 2.11.3-17.110.43.1
glibc-profile-32bit: before 2.11.3-17.110.43.1
glibc-debugsource: before 2.11.3-17.110.43.1
glibc-debuginfo-32bit: before 2.11.3-17.110.43.1
glibc-devel: before 2.11.3-17.110.43.1
nscd: before 2.11.3-17.110.43.1
glibc: before 2.11.3-17.110.43.1
glibc-profile: before 2.11.3-17.110.43.1
glibc-i18ndata: before 2.11.3-17.110.43.1
glibc-html: before 2.11.3-17.110.43.1
glibc-locale: before 2.11.3-17.110.43.1
glibc-info: before 2.11.3-17.110.43.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glibc-devel-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-i18ndata:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-html:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-info:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Reachable Assertion
EUVDB-ID: #VU49670
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-29562
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when converting UCS4 text containing an irreversible character in the iconv function in the GNU C Library (aka glibc or libc6). A remote attacker can pass specially crafted data to the library, trigger an assertion failure and preform a denial of service attack.
Update the affected package glibc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
glibc-devel-32bit: before 2.11.3-17.110.43.1
glibc-locale-32bit: before 2.11.3-17.110.43.1
glibc-32bit: before 2.11.3-17.110.43.1
glibc-debuginfo: before 2.11.3-17.110.43.1
glibc-profile-32bit: before 2.11.3-17.110.43.1
glibc-debugsource: before 2.11.3-17.110.43.1
glibc-debuginfo-32bit: before 2.11.3-17.110.43.1
glibc-devel: before 2.11.3-17.110.43.1
nscd: before 2.11.3-17.110.43.1
glibc: before 2.11.3-17.110.43.1
glibc-profile: before 2.11.3-17.110.43.1
glibc-i18ndata: before 2.11.3-17.110.43.1
glibc-html: before 2.11.3-17.110.43.1
glibc-locale: before 2.11.3-17.110.43.1
glibc-info: before 2.11.3-17.110.43.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glibc-devel-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-i18ndata:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-html:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-info:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds write
EUVDB-ID: #VU50362
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-29573
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary within the sysdeps/i386/ldbl2mpn.c in the GNU C Library on x86 systems. A remote attacker can pass specially crafted data to the application that uses the vulnerable version of glibc and crash it.
Update the affected package glibc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
glibc-devel-32bit: before 2.11.3-17.110.43.1
glibc-locale-32bit: before 2.11.3-17.110.43.1
glibc-32bit: before 2.11.3-17.110.43.1
glibc-debuginfo: before 2.11.3-17.110.43.1
glibc-profile-32bit: before 2.11.3-17.110.43.1
glibc-debugsource: before 2.11.3-17.110.43.1
glibc-debuginfo-32bit: before 2.11.3-17.110.43.1
glibc-devel: before 2.11.3-17.110.43.1
nscd: before 2.11.3-17.110.43.1
glibc: before 2.11.3-17.110.43.1
glibc-profile: before 2.11.3-17.110.43.1
glibc-i18ndata: before 2.11.3-17.110.43.1
glibc-html: before 2.11.3-17.110.43.1
glibc-locale: before 2.11.3-17.110.43.1
glibc-info: before 2.11.3-17.110.43.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glibc-devel-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-i18ndata:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-html:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-info:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Reachable Assertion
EUVDB-ID: #VU50075
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-3326
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the iconv function in the GNU C Library (aka glibc or libc6) when processing invalid input sequences in the ISO-2022-JP-3 encoding. A remote attacker can pass specially crafted data to the application, trigger an assertion failure and crash the affected application.
Update the affected package glibc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
glibc-devel-32bit: before 2.11.3-17.110.43.1
glibc-locale-32bit: before 2.11.3-17.110.43.1
glibc-32bit: before 2.11.3-17.110.43.1
glibc-debuginfo: before 2.11.3-17.110.43.1
glibc-profile-32bit: before 2.11.3-17.110.43.1
glibc-debugsource: before 2.11.3-17.110.43.1
glibc-debuginfo-32bit: before 2.11.3-17.110.43.1
glibc-devel: before 2.11.3-17.110.43.1
nscd: before 2.11.3-17.110.43.1
glibc: before 2.11.3-17.110.43.1
glibc-profile: before 2.11.3-17.110.43.1
glibc-i18ndata: before 2.11.3-17.110.43.1
glibc-html: before 2.11.3-17.110.43.1
glibc-locale: before 2.11.3-17.110.43.1
glibc-info: before 2.11.3-17.110.43.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:glibc-devel-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-debuginfo-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:nscd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-profile:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-i18ndata:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-html:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-locale:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:glibc-info:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20240759-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
