Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 325555 (CVE-2010-0830) - <sys-libs/glibc-2.11.2: Arbitrary code execution (CVE-2010-0830)
Summary: <sys-libs/glibc-2.11.2: Arbitrary code execution (CVE-2010-0830)
Status: RESOLVED FIXED
Alias: CVE-2010-0830
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High blocker (vote)
Assignee: Gentoo Security
URL: http://sourceware.org/git/?p=glibc.gi...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 318503
Blocks:
  Show dependency tree
 
Reported: 2010-06-25 19:27 UTC by Stefan Behte (RETIRED)
Modified: 2011-10-08 14:46 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:27:52 UTC
CVE-2010-0830 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0830):
  Integer signedness error in the elf_get_dynamic_info function in
  elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
  2.0.1 through 2.11.1, when the --verify option is used, allows
  user-assisted remote attackers to execute arbitrary code via a
  crafted ELF program with a negative value for a certain d_tag
  structure member in the ELF header.
Comment 1 SpanKY gentoo-dev 2010-06-25 19:47:27 UTC
this is already in glibc-2.11.2 which is already in the tree
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:36:49 UTC
CVE-2010-0830 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0830):
  Integer signedness error in the elf_get_dynamic_info function in
  elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
  2.0.1 through 2.11.1, when the --verify option is used, allows
  user-assisted remote attackers to execute arbitrary code via a
  crafted ELF program with a negative value for a certain d_tag
  structure member in the ELF header.

Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:58:21 UTC
GLSA will be filed together with #285818.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-11-15 21:34:28 UTC
This is GLSA 201011-01, thanks everyone, and sorry about the delay.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 14:43:14 UTC
CVE-2011-1071 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1071):
  The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC
  (EGLIBC) allow context-dependent attackers to execute arbitrary code or
  cause a denial of service (memory consumption) via a long UTF8 string that
  is used in an fnmatch call, aka a "stack extension attack," a related issue
  to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported
  for use of this library by Google Chrome.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 14:46:47 UTC
Sorry about the last comment, wrong bug.