Summary: | <sys-libs/glibc-2.10.1-r1: GNU glibc 'strfmon()' Function Integer Overflow Weakness (CVE-2009-{4880,4881}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Pavel Shirov <passnet> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gengor, jaak, pva |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.securityfocus.com/bid/36443 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 289342 |
Description
Pavel Shirov
2009-09-21 10:46:44 UTC
Upstream report: http://sources.redhat.com/bugzilla/show_bug.cgi?id=9707 (Closed as invalid) http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600 guess we should import this commit: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d this has been queued in the glibc-2.10 patchset and is already in glibc-2.11 Security bugs are closed by security only, after the fixed packet is stable and a GLSA has been sent. sys-libs/glibc-2.9_p20081201-r3 needs to go stable now, any objections? ... or 2.10.1-r1, of course. But I think it's better to have a stable 2.9 and 2.10 version. Also I think sys-libs/glibc-2.9_p20081201-r3 would go stable faster than glibc-2.10.x. Argh, while moving read mail I noticed I overlooked "queued". Is it possible to provide a fixed 2.9...-r4, too? We'll have to wait for that or could stable something newer when it's ready (which I guess, will take longer). Sorry for the bugspam. glibc-2.10.1-r1 is stable. only GLSA needs going out now. CVE-2009-4880 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4880): Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391. CVE-2009-4881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4881): Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391. This is GLSA 201011-01, thanks everyone, and sorry about the delay. |