CVE-2011-1095

Name of the Vulnerable Software and Affected Versions glibc versions 2.3.4 glibc versions prior to 2.15-r3 glibc-utils versions 2.3.4 glibc-devel versions 2.3.4 glibc-common versions 2.3.4 glibc-profile versions 2.3.4 glibc-headers versions 2.3.4 nptl-devel version 2.3.4

Description The issue concerns multiple vulnerabilities in the glibc package, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited locally. The locale/programs/locale.c in locale in the GNU C Library does not quote its output, potentially allowing local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script using the eval function.

Recommendations For glibc versions 2.3.4, consider updating to a version later than 2.15-r3. For glibc versions prior to 2.15-r3, update to version 2.15-r3 or later. For glibc-utils versions 2.3.4, update to a version later than 2.3.4. For glibc-devel versions 2.3.4, update to a version later than 2.3.4. For glibc-common versions 2.3.4, update to a version later than 2.3.4. For glibc-profile versions 2.3.4, update to a version later than 2.3.4. For glibc-headers versions 2.3.4, update to a version later than 2.3.4. For nptl-devel version 2.3.4, update to a version later than 2.3.4. As a temporary workaround, consider restricting access to the locale/programs/locale.c function until a patch is available.