Bugzilla – Bug 920338
VUL-1: CVE-2015-8984: glibc: Fix read past end of pattern in fnmatch
Last modified: 2019-08-28 22:42:59 UTC
reported by customer, also on oss-sec http://www.openwall.com/lists/oss-security/2015/02/26/5 +++ This bug was initially created as a clone of Bug #920169 +++ Original Description: "Customer got informaton from their CERT Team regarding a security flaw in fnmatch of glibc, which could be used for a denial of service. References: https://sourceware.org/bugzilla/show_bug.cgi?id=18032 https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185 I confirmed the malicous code in fnmatch_loop.c of latest SLES11 SP3 x86_64 glibc version. As I'm not able to find any references in Bugzilla/smash, please file a L3 request on this and request a CVE on this issue. For my cusomter we need a classification based on CVSSv2."
bugbot adjusting priority
openSUSE-SU-2015:0955-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 917539,918187,920338,927080 CVE References: CVE-2014-8121,CVE-2015-1781 Sources used: openSUSE 13.2 (src): glibc-2.19-16.12.1, glibc-testsuite-2.19-16.12.4, glibc-utils-2.19-16.12.1 openSUSE 13.1 (src): glibc-2.18-4.32.1, glibc-testsuite-2.18-4.32.3, glibc-utils-2.18-4.32.2
SUSE-SU-2015:1424-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 830257,851280,918187,920338,927080,928723,932059,933770,933903,935286 CVE References: CVE-2013-2207,CVE-2014-8121,CVE-2015-1781 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Desktop 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Desktop 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Debuginfo 11-SP3 (src): glibc-2.11.3-17.87.3
No cve was assigned sofar. not sure if there will be one.
SUSE-SU-2015:1844-1: An update that solves two vulnerabilities and has 11 fixes is now available. Category: security (moderate) Bug References: 915955,918187,920338,927080,928723,931480,934084,937853,939211,940195,940332,944494,945779 CVE References: CVE-2014-8121,CVE-2015-1781 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): glibc-2.19-22.7.1 SUSE Linux Enterprise Server 12 (src): glibc-2.19-22.7.1 SUSE Linux Enterprise Desktop 12 (src): glibc-2.19-22.7.1
SUSE-SU-2016:0470-1: An update that solves 10 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 830257,847227,863499,892065,918187,920338,927080,945779,950944,961721,962736,962737,962738,962739 CVE References: CVE-2013-2207,CVE-2013-4458,CVE-2014-8121,CVE-2014-9761,CVE-2015-1781,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): glibc-2.11.3-17.45.66.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): glibc-2.11.3-17.45.66.1
CVE-2015-8984 was assigned to this issue. http://seclists.org/oss-sec/2017/q1/437
All updates released.