Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 393477 (CVE-2009-5029)

Summary: <sys-libs/glibc-2.14.1-r3 : "__tzfile_read()" Buffer Overflow Vulnerability (CVE-2009-5029)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/47064/
See Also: http://sourceware.org/bugzilla/show_bug.cgi?id=13506
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 411903    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2011-12-07 08:42:03 UTC 
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to an error within the "__tzfile_read()" function (time/tzfile.c) and can be exploited to cause a heap-based buffer overflow via a specially crafted timezone file.

Successful exploitation may allow the execution of arbitrary code but requires that a malicious timezone file is loaded (e.g. by uploading it into the chroot of an FTP server).

The vulnerability is confirmed in version 2.14.1. Other versions may also be affected.


Solution:
There is no patch(es) atm, so unpatched.
Comment 1 SpanKY gentoo-dev 2012-01-01 09:47:58 UTC 
i've included the upstream fix in glibc-2.14.1-r2.  but that isn't ready for stabilizing yet.  not sure how important this is in reality to exploit (seems fairly unlikely).
Comment 2 Agostino Sarubbo gentoo-dev 2012-04-17 15:08:19 UTC 
the stabilization will be done in bug 411903
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-08-16 04:55:17 UTC 
Thanks, everyone. GLSA request filed.
Comment 4 Mark Loeser (RETIRED) gentoo-dev 2013-02-22 23:30:37 UTC 
toolchain done
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:29:51 UTC 
CVE-2009-5029 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5029):
  Integer overflow in the __tzfile_read function in glibc before 2.15 allows
  context-dependent attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a crafted timezone (TZ) file, as
  demonstrated using vsftpd.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:14:41 UTC 
This issue was resolved and addressed in
 GLSA 201312-01 at http://security.gentoo.org/glsa/glsa-201312-01.xml
by GLSA coordinator Chris Reffett (creffett).