Ubuntu
glibc package

Vulnerability in glibc - CVE-2022-23219

Bug #1961117 reported by bhs on 2022-02-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	glibc (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Title: Vulnerability in Glibc - CVE-2022-23219

Expectation: Glibc needs to be upgraded to glib v2.35 (Feb2022 release)

Details of CVE - https://nvd.nist.gov/vuln/detail/CVE-2022-23219 & https://ubuntu.com/security/CVE-2022-23219

Description: The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka Glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

CVE References

2022-23219

bhs (bharath-vegito) on 2022-02-16

information type:

Private Security → Public

Revision history for this message

Steve Beattie (sbeattie) wrote on 2022-03-28:

This issue was addressed in Ubuntu in https://ubuntu.com/security/notices/USN-5310-1 and https://ubuntu.com/security/notices/USN-5310-2 and the under development jammy/Ubuntu 22.04 LTS already has glibc 2.35 incorporated.

Please also note that Ubuntu has been building with stack-protector enabled since 2006, and thus the issue was limited to a denial of service.

Thanks.

Changed in glibc (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuglibc package