Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 252797 (CVE-2008-1391) - BSD libc: strfmon() multiple vulnerabilities (CVE-2008-1391)
Summary: BSD libc: strfmon() multiple vulnerabilities (CVE-2008-1391)
Status: RESOLVED FIXED
Alias: CVE-2008-1391
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://securityreason.com/achievement...
Whiteboard: ~ [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-28 10:58 UTC by Christian Hoffmann (RETIRED)
Modified: 2009-04-08 18:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-12-28 10:58:49 UTC
Maksymilian Arciemowicz asked me to try to reproduce this on Gentoo, both Linux and BSD, because some other Linux distribution is apparently vulnerable to this issue.

Could someone try the example codes from $URL on Gentoo/BSD (do we track security problems here anyway?) and stable Gentoo/Linux?

I've tried on latest ~amd64 w/ linux-2.6.27 and glibc-2.9_p20081201 and all examples exited with exit code 0 immediately (i.e. no crash and no hang).

Still, I think better safe than sorry, so please test on stable Linux as well.

Whoever marked the CVE as NOTFORUS in SVN w/ comment "libc in NetBSD": The advisory says that probably all *BSD libcs are vulnerable, so FBSD probably as well... and Gentoo/FBSD is not considered dead, is it?
Comment 1 Javier Villavicencio (RETIRED) gentoo-dev 2008-12-28 17:57:28 UTC
(In reply to comment #0)
> Could someone try the example codes from $URL on Gentoo/BSD (do we track
> security problems here anyway?) and stable Gentoo/Linux?
> 
Crash and hangs on Gentoo/FreeBSD. It is fixed upstream on FreeBSD-CURRENT [1]. Patch applied and tested on gentoo-bsd overlay [2].

> well... and Gentoo/FBSD is not considered dead, is it?
> 
Gentoo/FBSD is not dead, yet the version currently in portage is (or will be soon) pretty much deprecated (6.2 is way too old and getting 6.x to work with gcc4 was a PITA). Consider this fixed (for BSD) when 7.x hits the tree (which will be soonish).

[1]http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/strfmon.c.diff?r2=1.14.12.1&r1=1.19&f=u
[2]http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-bsd.git;a=commitdiff
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-08 18:05:31 UTC
(In reply to comment #1)
> Consider this fixed (for BSD) when 7.x hits the tree (which
> will be soonish).
> 
7.1 packages are in the tree, so I guess this is fixed. please reopen if I missed something.