Advisories » MGASA-2025-0164

Updated glibc packages fix security vulnerability

Publication date: 24 May 2025
Modification date: 24 May 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-4802

Description

An untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU
C Library versions 2.27 to 2.38 allows attacker-controlled loading of
dynamically shared libraries in statically compiled setuid binaries that
call dlopen (including internal dlopen calls after setlocale or calls to
NSS functions such as getaddrinfo). (CVE-2025-4802)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34286
• https://www.openwall.com/lists/oss-security/2025/05/16/7
• https://www.openwall.com/lists/oss-security/2025/05/17/2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4802

SRPMS

9/core

• glibc-2.36-56.mga9