Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285818 - <sys-libs/glibc-2.10.1-r1: GNU glibc 'strfmon()' Function Integer Overflow Weakness (CVE-2009-{4880,4881})
Summary: <sys-libs/glibc-2.10.1-r1: GNU glibc 'strfmon()' Function Integer Overflow We...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Blocks: glibc-2.10-stable
  Show dependency tree
Reported: 2009-09-21 10:46 UTC by Pavel Shirov
Modified: 2010-11-15 21:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Shirov 2009-09-21 10:46:44 UTC
GNU glibc is prone to an integer-overflow weakness. 

An attacker can exploit this issue through other applications such as PHP to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

GNU glibc 2.10.1 and prior are vulnerable.

Reproducible: Always

Steps to Reproduce:
1. php -r 'money_format("%.1073741821i",1);'
Actual Results:  
# php -r 'money_format("%.1073741821i",1);'
Segmentation fault

Expected Results:  
# php -r 'money_format("%.107374182i",1);'

Tested with sys-libs/glibc-2.9_p20081201-r2

# emerge --info
Portage (default/linux/x86/2008.0, gcc-4.3.2, glibc-2.9_p20081201-r2, i686)
System uname: Linux-
Timestamp of tree: Mon, 21 Sep 2009 01:45:01 +0000
distcc 3.1 i686-pc-linux-gnu [disabled]
app-shells/bash:     4.0_p28
dev-java/java-config: 2.1.8-r1
dev-lang/python:     2.4.6, 2.5.4-r3, 2.6.2-r1
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
CFLAGS="-O2 -march=pentium4 -pipe"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium4 -pipe"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="X acl berkdb bzip2 cli cracklib crypt dbus dri fortran gdbm git glitz hal iconv iproute2 isdnlog kde mmx mng mudflap ncurses nls nptl nptlonly opengl openmp pam pcre perl pppd python qt4 readline redland reflection session speex spl sse sse2 ssl subversion svg sysfs tcpd threads unicode vnc webkit x86 xcomposite xorg xulrunner zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru" USERLAND="GNU" VIDEO_CARDS="intel"
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2009-09-23 00:08:04 UTC
Upstream report: (Closed as invalid)
Comment 2 SpanKY gentoo-dev 2009-10-26 09:58:11 UTC
guess we should import this commit:;a=commitdiff;h=199eb0de8d
Comment 3 SpanKY gentoo-dev 2009-11-21 06:18:16 UTC
this has been queued in the glibc-2.10 patchset and is already in glibc-2.11
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-23 17:54:00 UTC
Security bugs are closed by security only, after the fixed packet is stable and a GLSA has been sent.

sys-libs/glibc-2.9_p20081201-r3 needs to go stable now, any objections?
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-23 17:57:01 UTC
... or 2.10.1-r1, of course. But I think it's better to have a stable 2.9 and 2.10 version. Also I think sys-libs/glibc-2.9_p20081201-r3 would go stable faster than glibc-2.10.x.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-23 18:06:08 UTC
Argh, while moving read mail I noticed I overlooked "queued". Is it possible to provide a fixed 2.9...-r4, too?
We'll have to wait for that or could stable something newer when it's ready (which I guess, will take longer).

Sorry for the bugspam. 
Comment 7 SpanKY gentoo-dev 2010-04-25 07:24:22 UTC
glibc-2.10.1-r1 is stable.  only GLSA needs going out now.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:36:13 UTC
CVE-2009-4880 (
  Multiple integer overflows in the strfmon implementation in the GNU C
  Library (aka glibc or libc6) 2.10.1 and earlier allow
  context-dependent attackers to cause a denial of service (memory
  consumption or application crash) via a crafted format string, as
  demonstrated by a crafted first argument to the money_format function
  in PHP, a related issue to CVE-2008-1391.

CVE-2009-4881 (
  Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c
  in the strfmon implementation in the GNU C Library (aka glibc or
  libc6) before 2.10.1 allows context-dependent attackers to cause a
  denial of service (application crash) via a crafted format string, as
  demonstrated by the %99999999999999999999n string, a related issue to

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2010-11-15 21:33:34 UTC
This is GLSA 201011-01, thanks everyone, and sorry about the delay.