Summary: | <dev-libs/libcgroup-0.38: intended resource restriction bypass (CVE-2011-{1006,1022}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | alexanderyt, andreis.vinogradovs, davidweb, dev-tools, jaak, nerdboy, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 437856 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2011-06-25 13:00:32 UTC
CVE-2011-1006 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1006): Heap-based buffer overflow in the parse_cgroup_spec function in tools/tools-common.c in the Control Group Configuration Library (aka libcgroup or libcg) before 0.37.1 allows local users to gain privileges via a crafted controller list on the command line of an application. NOTE: it is not clear whether this issue crosses privilege boundaries. New version available http://sourceforge.net/projects/libcg/files/libcgroup/v.038/ relised 2012-02-20 *** Bug 417963 has been marked as a duplicate of this bug. *** Why is this taking so long?! Version 0.38 was added to tree, it does not have the vulnerability. Please clean old versions. due #437856 resolved, please drop affected version from tree + 27 Nov 2012; Sergey Popov <pinkbyte@gentoo.org> -libcgroup-0.37-r2.ebuild, + -files/libcgroup-0.37-wildcard-substitutions.patch: + Drop vulnerable versions, wrt bug #372985 Also, adding missing maintaining herd(proxy maintainers) to CC Thanks, everyone. Closing noglsa for ~arch only. |