UbuntuUpdates.org

Package "klibc"

Name: klibc

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • small utilities built with klibc for early boot
  • minimal libc subset for use with initramfs
  • kernel headers used during the build of klibc

Latest version: 2.0.7-1ubuntu5.2
Release: focal (20.04)
Level: security
Repository: main

Links



Other versions of "klibc" in Focal

Repository Area Version
base main 2.0.7-1ubuntu5
updates main 2.0.7-1ubuntu5.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.0.7-1ubuntu5.2 2024-04-16 14:07:13 UTC

  klibc (2.0.7-1ubuntu5.2) focal-security; urgency=medium

  * SECURITY UPDATE: improper pointer arithmetic
    - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization
      in usr/klibc/zlib/inftrees.c.
    - CVE-2016-9840
  * SECURITY UPDATE: improper pointer arithmetic
    - debian/patches/CVE-2016-9841.patch: remove offset pointer optimization
      in usr/klibc/zlib/inffast.c.
    - CVE-2016-9841
  * SECURITY UPDATE: memory corruption during compression
    - debian/patches/CVE-2018-25032.patch: addresses a bug that can crash
      deflate on rare inputs when using Z_FIXED.
    - CVE-2018-25032
  * SECURITY UPDATE: heap-based buffer over-read
    - debian/patches/CVE-2022-37434-1.patch: adds an extra condition to check
      if state->head->extra_max is greater than len before copying, and moves
      the len assignment to be placed before the check in
      usr/klibc/zlib/inflate.c.
    - debian/patches/CVE-2022-37434-2.patch: in the previous patch, the
      placement of the len assignment was causing issues so it was moved
      within the conditional check.
    - CVE-2022-37434

 -- Ian Constantin <email address hidden> Sat, 13 Apr 2024 12:35:16 +0300

Source diff to previous version
CVE-2016-9840 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2016-9841 inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2018-25032 zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVE-2022-37434 zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only appl

Version: 2.0.7-1ubuntu5.1 2022-04-18 09:06:22 UTC

  klibc (2.0.7-1ubuntu5.1) focal-security; urgency=medium

  * SECURITY UPDATE: integer overflow in calloc
    - debian/patches/CVE-2021-31870.patch: add overflow check
      when performing the multiplication in usr/klibc/calloc.c.
    - CVE-2021-31870
  * SECURITY UPDATE: integer overflow in cpio
    - debian/patches/CVE-2021-31871.patch: remove cast to unsigned
      to avoid a possible overflow in 64 bit systems in
      usr/utils/cpio.c.
    - CVE-2021-31871
  * SECURITY UPDATE: integer overflow in read_in_new_ascii
    - debian/patches/CVE-2021-31872.patch: ensure that c_namesize
      and c_filesize are smaller than LONG_MAX in usr/utils/cpio.c.
    - CVE-2021-31872
  * SECURITY UPDATE: integer overflow in malloc
    - debian/patches/CVE-2021-31873.patch: ensure that size is smaller
      than PTRDIFF_MAX in usr/klibc/malloc.c.
    - CVE-2021-31873

 -- David Fernandez Gonzalez <email address hidden> Wed, 13 Apr 2022 10:40:18 +0200

CVE-2021-31870 An issue was discovered in klibc before 2.0.9. Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer
CVE-2021-31871 An issue was discovered in klibc before 2.0.9. An integer overflow in the cpio command may result in a NULL pointer dereference on 64-bit systems.
CVE-2021-31872 An issue was discovered in klibc before 2.0.9. Multiple possible integer overflows in the cpio command on 32-bit systems may result in a buffer overf
CVE-2021-31873 An issue was discovered in klibc before 2.0.9. Additions in the malloc() function may result in an integer overflow and a subsequent heap buffer over



About   -   Send Feedback to @ubuntu_updates