Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 576726 (CVE-2016-1234)

Summary: <sys-libs/glibc-2.23-r3: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption
Product: Gentoo Security Reporter: Lars Wendler (Polynomial-C) <polynomial-c>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: toolchain
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=19779
See Also: https://sourceware.org/bugzilla/show_bug.cgi?id=19779
Whiteboard: A2 [glsa cve]
Package list:
=sys-libs/glibc-2.23-r3
Runtime testing required: ---
Bug Depends on: 604808    
Bug Blocks:    

Description Lars Wendler (Polynomial-C) gentoo-dev 2016-03-07 21:21:19 UTC
From URL:

Alexander Cherepanov discovered that the glob implementation in glibc does not correctly handle overlong names in struct dirent buffers when GLOB_ALTDIRFUNC is used.
Comment 1 Agostino Sarubbo gentoo-dev 2016-03-08 15:10:17 UTC
Unless I'm missing something the whiteboard is just upstream.
Comment 2 SpanKY gentoo-dev 2016-11-12 06:27:23 UTC
should be fixed in glibc-2.23-r3.  will need some time to bake in ~arch.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-12-13 14:11:17 UTC
@ Maintainer(s): One month later, can we now stabilize =sys-libs/glibc-2.23-r3?
Comment 4 SpanKY gentoo-dev 2016-12-14 16:28:11 UTC
i don't think we need to rush this.  wait until the end of Dec and it should be fine if there are no new issues.
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-01-02 16:34:19 UTC
@ Arches,

please test and mark stable: =sys-libs/glibc-2.23-r3
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-05 08:41:16 UTC
amd64 stable
Comment 7 Tobias Klausmann gentoo-dev 2017-01-05 12:36:42 UTC
Stable on alpha.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-06 10:06:49 UTC
Stable for HPPA.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-06 14:33:14 UTC
Stable for PPC64.
Comment 10 Markus Meier gentoo-dev 2017-01-08 18:27:51 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-26 09:06:58 UTC
ia64 stable
Comment 12 Michael Weber (RETIRED) gentoo-dev 2017-02-10 13:32:59 UTC
ppc stable
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-02-18 19:12:43 UTC
x86 stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:40:04 UTC
This issue was resolved and addressed in
 GLSA 201702-11 at https://security.gentoo.org/glsa/201702-11
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann gentoo-dev Security 2017-02-19 12:41:46 UTC
Re-opening for remaining arch.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2017-02-19 14:35:07 UTC
Setting back to stable - sparc please complete stabilization (A2 = 5 Day Stabilization - Start Date: 2017-01-02
Comment 17 SpanKY gentoo-dev 2017-03-07 06:05:31 UTC
sparc is done now
Comment 18 Thomas Deutschmann gentoo-dev Security 2017-03-07 13:07:52 UTC
@ Maintainer(s): Please cleanup and drop <sys-libs/glibc-2.23-r3 or remove keywords/apply masks to indicate a security problem.
Comment 19 Matthias Maier gentoo-dev 2017-06-19 16:30:18 UTC
commit aa57c4a8ee21fa208a21388c1291260c1dd8c389
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Thu Jun 8 11:20:38 2017 -0500

    profiles: Mask all glibc versions older than 2.23
Comment 20 Thomas Deutschmann gentoo-dev Security 2017-06-19 17:13:49 UTC
Repository is clean, all done.