[Bug 1961117] Re: Vulnerability in glibc - CVE-2022-23219
Steve Beattie
1961117 at bugs.launchpad.net
Mon Mar 28 19:19:35 UTC 2022
This issue was addressed in Ubuntu in
https://ubuntu.com/security/notices/USN-5310-1 and
https://ubuntu.com/security/notices/USN-5310-2 and the under development
jammy/Ubuntu 22.04 LTS already has glibc 2.35 incorporated.
Please also note that Ubuntu has been building with stack-protector
enabled since 2006, and thus the issue was limited to a denial of
service.
Thanks.
** Changed in: glibc (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1961117
Title:
Vulnerability in glibc - CVE-2022-23219
Status in glibc package in Ubuntu:
Fix Released
Bug description:
Title: Vulnerability in Glibc - CVE-2022-23219
Expectation: Glibc needs to be upgraded to glib v2.35 (Feb2022 release)
Details of CVE - https://nvd.nist.gov/vuln/detail/CVE-2022-23219 & https://ubuntu.com/security/CVE-2022-23219
Description: The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka Glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1961117/+subscriptions
More information about the foundations-bugs
mailing list