| Summary: | <sys-libs/glibc-2.21-r1: _IO_wstr_overflow integer overflow | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | mike, rogerx.oss, toolchain |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://sourceware.org/bugzilla/show_bug.cgi?id=17269 | ||
| See Also: |
https://sourceware.org/bugzilla/show_bug.cgi?id=17269 https://bugzilla.redhat.com/show_bug.cgi?id=1195762 |
||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
this has been fixed for glibc 2.22 and 2.21.1, and i've backported it to our glibc 2.21-r1 ebuild. but that's just now hitting ~arch so it'll be a little while before we can stabilize. Package =sys-libs/glibc-2.20-r2 is still marked as the latest stable on X86_64 bit platforms without this patch applied. This issue was resolved and addressed in GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02 by GLSA coordinator Tobias Heinlein (keytoaster). |
From ${URL} : An integer overflow flaw, leading to a heap-based buffer overflow, was found in glibc's _IO_wstr_overflow() function. If an application used this function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Upstream issue: https://sourceware.org/bugzilla/show_bug.cgi?id=17269 Upstream patch: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.