--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-497995b101
2025-01-27 01:38:38.336049+00:00
--------------------------------------------------------------------------------

Name        : glibc
Product     : Fedora 41
Version     : 2.40
Release     : 21.fc41
URL         : http://www.gnu.org/software/glibc/
Summary     : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

--------------------------------------------------------------------------------
Update Information:

This update addresses two security vulnerabilities:
* CVE-2025-0395: A buffer overflow may occur in the assert function with certain
large program names and assert expressions.
* CVE-2025-0577: getrandom, arc4random can produce predictable randomness if a
multi-threaded program creates additional threads after fork.
The following non-security bugs are fixed:
* Compatibility with certain programs that call free(environ) is improved
(however, deallocating environ remains undefined in general).
* On certain non-Fedora kernels, mkstemp and other functions may not attempt to
create multiple different file names and fail with EEXISTS.
--------------------------------------------------------------------------------
ChangeLog:

* Sat Jan 25 2025 Florian Weimer  - 2.40-21
- setenv/putenv: Use new upstream free(environ) workaround (#2341908)
  (glibc-rh2341908.patch replaces glibc-environ-malloc.patch)
- Auto-sync with upstream branch release/2.40/master,
  commit 85668221974db44459527e04d04f77ca8f8e3115:
- stdlib: Test using setenv with updated environ [BZ #32588]
- malloc: obscure calloc use in tst-calloc
- Hide all malloc functions from compiler [BZ #32366]
* Thu Jan 23 2025 Florian Weimer  - 2.40-20
- CVE-2025-0577: getrandom, arc4random can be predictable after fork (#2338960)
* Thu Jan 23 2025 Florian Weimer  - 2.40-19
- Apply patch to improve compatibility with environ/malloc misuse
* Thu Jan 23 2025 Florian Weimer  - 2.40-18
- Auto-sync with upstream branch release/2.40/master,
  commit 7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c:
- Fix underallocation of abort_msg_s struct (CVE-2025-0395)
- Fix missing randomness in __gen_tempname (bug 32214)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2338960 - glibc: getrandom, arc4random can return predictable data after fork (CVE-2025-0577)
        https://bugzilla.redhat.com/show_bug.cgi?id=2338960
  [ 2 ] Bug #2341631 - CVE-2025-0395 glibc: buffer overflow in the GNU C Library's assert() [fedora-41]
        https://bugzilla.redhat.com/show_bug.cgi?id=2341631
  [ 3 ] Bug #2341853 - CVE-2025-0577 glibc: vDSO getrandom acceleration may return predictable randomness [fedora-41]
        https://bugzilla.redhat.com/show_bug.cgi?id=2341853
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-497995b101' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

-- 
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Fedora 41: FEDORA-2025-497995b101 Critical: glibc Buffer Overflow

January 27, 2025
This update addresses two security vulnerabilities: * CVE-2025-0395: A buffer overflow may occur in the assert function with certain large program names and assert expressions

Summary

The glibc package contains standard libraries which are used by

multiple programs on the system. In order to save disk space and

memory, as well as to make upgrading easier, common system code is

kept in one place and shared between programs. This particular package

contains the most important sets of shared libraries: the standard C

library and the standard math library. Without these two libraries, a

Linux system will not function.

Update Information:

This update addresses two security vulnerabilities: * CVE-2025-0395: A buffer overflow may occur in the assert function with certain large program names and assert expressions. * CVE-2025-0577: getrandom, arc4random can produce predictable randomness if a multi-threaded program creates additional threads after fork. The following non-security bugs are fixed: * Compatibility with certain programs that call free(environ) is improved (however, deallocating environ remains undefined in general). * On certain non-Fedora kernels, mkstemp and other functions may not attempt to create multiple different file names and fail with EEXISTS.

Change Log

* Sat Jan 25 2025 Florian Weimer - 2.40-21 - setenv/putenv: Use new upstream free(environ) workaround (#2341908) (glibc-rh2341908.patch replaces glibc-environ-malloc.patch) - Auto-sync with upstream branch release/2.40/master, commit 85668221974db44459527e04d04f77ca8f8e3115: - stdlib: Test using setenv with updated environ [BZ #32588] - malloc: obscure calloc use in tst-calloc - Hide all malloc functions from compiler [BZ #32366] * Thu Jan 23 2025 Florian Weimer - 2.40-20 - CVE-2025-0577: getrandom, arc4random can be predictable after fork (#2338960) * Thu Jan 23 2025 Florian Weimer - 2.40-19 - Apply patch to improve compatibility with environ/malloc misuse * Thu Jan 23 2025 Florian Weimer - 2.40-18 - Auto-sync with upstream branch release/2.40/master, commit 7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c: - Fix underallocation of abort_msg_s struct (CVE-2025-0395) - Fix missing randomness in __gen_tempname (bug 32214)

References

[ 1 ] Bug #2338960 - glibc: getrandom, arc4random can return predictable data after fork (CVE-2025-0577) https://bugzilla.redhat.com/show_bug.cgi?id=2338960 [ 2 ] Bug #2341631 - CVE-2025-0395 glibc: buffer overflow in the GNU C Library's assert() [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2341631 [ 3 ] Bug #2341853 - CVE-2025-0577 glibc: vDSO getrandom acceleration may return predictable randomness [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2341853

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-497995b101' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
Name : glibc
Product : Fedora 41
Version : 2.40
Release : 21.fc41
URL : http://www.gnu.org/software/glibc/
Summary : The GNU libc libraries

Related News

Linux 6.11 EOL: Upgrade to 6.12 for Security and Performance Benefits
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Census III Report: Key Strategies for Linux Security Enhancement
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
Qt 6.8.1: Essential Fixes for Wayland and Security Issues
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Arch Linux 2024.12.01: Improved Hardware Support and Security Features
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Linux Kernel 6.13: Security Updates Enhance System Resilience
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Protect Linux Systems from Bootkitty: UEFI Bootkit Defense Strategies
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved