GNU glibc is prone to an integer-overflow weakness. An attacker can exploit this issue through other applications such as PHP to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. GNU glibc 2.10.1 and prior are vulnerable. Reproducible: Always Steps to Reproduce: 1. php -r 'money_format("%.1073741821i",1);' Actual Results: # php -r 'money_format("%.1073741821i",1);' Segmentation fault # Expected Results: # php -r 'money_format("%.107374182i",1);' # Tested with sys-libs/glibc-2.9_p20081201-r2 # emerge --info Portage 2.1.6.13 (default/linux/x86/2008.0, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.22.18-co-0.7.3 i686) ================================================================= System uname: Linux-2.6.22.18-co-0.7.3-i686-Intel-R-_Celeron-R-_CPU_2.80GHz-with-gentoo-1.12.11.1 Timestamp of tree: Mon, 21 Sep 2009 01:45:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] app-shells/bash: 4.0_p28 dev-java/java-config: 2.1.8-r1 dev-lang/python: 2.4.6, 2.5.4-r3, 2.6.2-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=pentium4 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles/ http://trumpetti.atm.tut.fi/gentoo/" LANG="C" LDFLAGS="-Wl,-O1" LINGUAS="ru" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X acl berkdb bzip2 cli cracklib crypt dbus dri fortran gdbm git glitz hal iconv iproute2 isdnlog kde mmx mng mudflap ncurses nls nptl nptlonly opengl openmp pam pcre perl pppd python qt4 readline redland reflection session speex spl sse sse2 ssl subversion svg sysfs tcpd threads unicode vnc webkit x86 xcomposite xorg xulrunner zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru" USERLAND="GNU" VIDEO_CARDS="intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Upstream report: http://sources.redhat.com/bugzilla/show_bug.cgi?id=9707 (Closed as invalid) http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
guess we should import this commit: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d
this has been queued in the glibc-2.10 patchset and is already in glibc-2.11
Security bugs are closed by security only, after the fixed packet is stable and a GLSA has been sent. sys-libs/glibc-2.9_p20081201-r3 needs to go stable now, any objections?
... or 2.10.1-r1, of course. But I think it's better to have a stable 2.9 and 2.10 version. Also I think sys-libs/glibc-2.9_p20081201-r3 would go stable faster than glibc-2.10.x.
Argh, while moving read mail I noticed I overlooked "queued". Is it possible to provide a fixed 2.9...-r4, too? We'll have to wait for that or could stable something newer when it's ready (which I guess, will take longer). Sorry for the bugspam.
glibc-2.10.1-r1 is stable. only GLSA needs going out now.
CVE-2009-4880 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4880): Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391. CVE-2009-4881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4881): Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391.
This is GLSA 201011-01, thanks everyone, and sorry about the delay.
