ASA-201801-9 generated external raw

[ASA-201801-9] glibc: multiple issues
Arch Linux Security Advisory ASA-201801-9 ========================================= Severity: High Date : 2018-01-10 CVE-ID : CVE-2017-15670 CVE-2017-15671 Package : glibc Type : multiple issues Remote : Yes Link : Summary ======= The package glibc before version 2.26-9 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 2.26-9. # pacman -Syu "glibc>=2.26-9" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2017-15670 (arbitrary code execution) The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by- one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. - CVE-2017-15671 (denial of service) The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak). Impact ====== A remote attacker is able to execute arbitrary code on the host or crash a target application that is using glibc functions for globbing by providing a crafted input to it. References ==========;a=commitdiff;h=a76376df7c07e577a9515c3faa5dbd50bda5da07;a=commitdiff;h=f1cf98b583787cfb6278baea46e286a0ee7567fd