Summary: | <dev-lang/swi-prolog-6.2.5: Multiple (stack-based) buffer overflows in patch canonisation code and when expanding file-names with long paths (CVE-2012-{6089,6090}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | prolog |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/01/03/3 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-01-04 19:48:27 UTC
CVE-2012-6090 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6090): Multiple stack-based buffer overflows in the expand function in os/pl-glob.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename. CVE-2012-6089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6089): Multiple stack-based buffer overflows in the canoniseFileName function in os/pl-os.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename. -6.2.5 and -6.3.7 are both in portage. =dev-lang/swi-prolog-6.2.5 is the version recommended for stabilization. (In reply to comment #2) > -6.2.5 and -6.3.7 are both in portage. > > =dev-lang/swi-prolog-6.2.5 is the version recommended for stabilization. Thanks, Keri. Arches, please test and mark stable. amd64 stable x86 stable ppc stable New GLSA request filed. This issue was resolved and addressed in GLSA 201312-05 at http://security.gentoo.org/glsa/glsa-201312-05.xml by GLSA coordinator Sergey Popov (pinkbyte). |