Summary: | <sys-libs/glibc-2.14.1-r3 : "__tzfile_read()" Buffer Overflow Vulnerability (CVE-2009-5029) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/47064/ | ||
See Also: | http://sourceware.org/bugzilla/show_bug.cgi?id=13506 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 411903 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2011-12-07 08:42:03 UTC
i've included the upstream fix in glibc-2.14.1-r2. but that isn't ready for stabilizing yet. not sure how important this is in reality to exploit (seems fairly unlikely). the stabilization will be done in bug 411903 Thanks, everyone. GLSA request filed. toolchain done CVE-2009-5029 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5029): Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd. This issue was resolved and addressed in GLSA 201312-01 at http://security.gentoo.org/glsa/glsa-201312-01.xml by GLSA coordinator Chris Reffett (creffett). |