Bug 1256285 (CVE-2015-5229)

Summary: CVE-2015-5229 glibc: calloc may return non-zero memory
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: arjun.is, ashankar, codonell, fweimer, jakub, law, mfabian, mnewsome, pfrankli, sardella, slawomir, spoyarek, yozone
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-16 16:58:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1244002, 1246713, 1293976, 1294080, 1296453    
Bug Blocks: 1256291, 1293533    

Description Florian Weimer 2015-08-24 09:46:16 UTC 
It was discovered that the calloc implementation in glibc, as shipped in the Red Hat Enterprise Linux 6.7 GA and 7.2 GA version, could return memory areas which contain non-zero bytes. This could lead to application misbehavior such as hangs or crashes.
Comment 1 Florian Weimer 2015-08-24 09:50:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHBA-2015:1465 https://rhn.redhat.com/errata/RHBA-2015-1465.html
Comment 2 Florian Weimer 2015-08-24 09:51:35 UTC 
Fixed glibc packages for Red Hat Enterprise Linux 6.7 were available at GA time, but are not included in the installation media.
Comment 3 Martin Prpič 2016-01-07 09:59:06 UTC 
This issue was found to also affect Red Hat Enterprise Linux 7.2. This issue does not affect Red Hat Enterprise Linux 7.0 or 7.1.
Comment 8 Martin Prpič 2016-02-15 12:18:05 UTC 
Acknowledgements:

Red Hat would like to thank Jeff Layton for reporting this issue.
Comment 9 errata-xmlrpc 2016-02-16 15:41:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0176 https://rhn.redhat.com/errata/RHSA-2016-0176.html