Bug 1542102 (CVE-2018-6485)

Summary: CVE-2018-6485 glibc: Integer overflow in posix_memalign in memalign functions
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alanm, aoliva, arjun.is, ashankar, codonell, dj, fweimer, glibc-bugzilla, law, mfabian, mnewsome, pfrankli, sardella, siddhesh, y.sawant
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:39:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1542103, 1547996, 1547997, 1547998, 1548002, 1548003, 1548004, 1548005, 1548007, 1548008    
Bug Blocks: 1542106    

Description Laura Pardo 2018-02-05 15:04:09 UTC 
A flaw was found in glibc. An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. 


References:
https://sourceware.org/bugzilla/show_bug.cgi?id=22343


Patch:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22
Comment 1 Laura Pardo 2018-02-05 15:04:43 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1542103]
Comment 8 Pedro YĆ³ssis Silva Barbosa 2018-02-22 14:23:57 UTC 
Statement:

This issue affects the versions of glibc and compat-glibc as shipped with Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 11 Fedora Update System 2018-03-06 17:30:31 UTC 
glibc-2.26-26.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Yogesh Sawant 2018-03-09 09:12:35 UTC 
Hi,

I am hoping to see a fix for CVE-2018-6485 in RHEL6

Thanks,
Yogesh Sawant
Comment 13 errata-xmlrpc 2018-10-30 07:36:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3092 https://access.redhat.com/errata/RHSA-2018:3092