CVE-2014-8121

Publication date 27 March 2015

Last updated 24 July 2024

DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset.

From the Ubuntu Security Team

Robin Hack discovered that the Name Service Switch (NSS) implementation in the GNU C Library did not properly manage its file descriptors. An attacker could use this to cause a denial of service (infinite loop).

Status

Show unmaintained releases

Package	Ubuntu Release	Status
eglibc	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Not in release
	15.04 vivid	Not in release
	14.10 utopic	Not in release
	14.04 LTS trusty	Fixed 2.19-0ubuntu6.8
	12.04 LTS precise	Fixed 2.15-0ubuntu10.14
	10.04 LTS lucid	Ignored
glibc	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Fixed 2.21-0ubuntu4.2
	15.04 vivid	Ignored
	14.10 utopic	Ignored
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
glibc	Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=03d2730b44cc2236318fd978afa2651753666c55 Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b13b96ca05a132a12dc5f3712b99e626670716bf

References

Related Ubuntu Security Notices (USN)