Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 386349 (CVE-2011-1659)

Summary: <sys-libs/glibc-2.14.1-r3 : Denial of Service (CVE-2011-1659)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 411903    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 15:04:22 UTC 
CVE-2011-1659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1659):
  Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or
  libc6) 2.13 and earlier allows context-dependent attackers to cause a denial
  of service (application crash) via a long UTF8 string that is used in an
  fnmatch call with a crafted pattern argument, a different vulnerability than
  CVE-2011-1071.


Can we go stable with a 2.13 version? Please also take into account the other 2.13-ish issues we just filed.
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-10 19:48:19 UTC 
2.13 is stable since a long time. 

@security: ok to glsa for it?
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-04-10 21:47:25 UTC 
I believe this may have been addressed via [1], post 2.13 release, and I don't see any patches in 2.13-r4 that address this?

@toolchain, would you agree? If so, how do you think we should move this forward?

[1] http://sourceware.org/git/?p=glibc.git;a=commit;h=8126d90480fa3e0c5c5cd0d02cb1c93174b45485
Comment 3 SpanKY gentoo-dev 2012-04-10 21:55:09 UTC 
i think Agostino just misread the summary (<2.13 vs <=2.13).  it's fixed in glibc-2.14, and i'll be posting that for stabilization soonish, so probably best to just let it filter that route.
Comment 4 Agostino Sarubbo gentoo-dev 2012-04-17 15:12:20 UTC 
(In reply to comment #3)
> i think Agostino just misread the summary (<2.13 vs <=2.13).  it's fixed in
> glibc-2.14, and i'll be posting that for stabilization soonish, so probably
> best to just let it filter that route.

Thanks for the clarification Mike.

The stabilization will be done in bug 411903.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-08-16 04:55:21 UTC 
Thanks, everyone. GLSA request filed.
Comment 6 Mark Loeser (RETIRED) gentoo-dev 2013-02-22 23:26:55 UTC 
toolchain done
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:14:38 UTC 
This issue was resolved and addressed in
 GLSA 201312-01 at http://security.gentoo.org/glsa/glsa-201312-01.xml
by GLSA coordinator Chris Reffett (creffett).