Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 356567 - <sys-libs/glibc-2.12.2: GNU C Library "fnmatch()" Stack Corruption Vulnerability
Summary: <sys-libs/glibc-2.12.2: GNU C Library "fnmatch()" Stack Corruption Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on: 356913
  Show dependency tree
Reported: 2011-02-26 14:09 UTC by kerncode
Modified: 2013-12-03 04:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description kerncode 2011-02-26 14:09:48 UTC
A vulnerability has been reported in the GNU C Library, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error within the implementation of the "fnmatch()" function, which can be exploited to cause a stack corruption by e.g. tricking an application into using the function on specially crafted input.

The vulnerability is reported in versions prior to 2.12.2.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 14:45:28 UTC
From $URL, the upstream bug is

@toolchain, thoughts?
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2011-02-27 14:00:09 UTC
More details can be found here

Comment 3 SpanKY gentoo-dev 2011-03-01 00:24:09 UTC
if the issue is already resolved in glibc-2.12.2 in the tree, then i'm not sure we'd look at trying to backport.  we're at the point where glibc-2.12.x should be looked at for stabilization in general.  i'll start a thread on gentoo-dev to see if we need to shake out any dependencies first.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-09 10:25:09 UTC
Stable by now.
Comment 5 Mark Loeser (RETIRED) gentoo-dev 2013-02-22 23:18:30 UTC
toolchain work done.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:14:23 UTC
This issue was resolved and addressed in
 GLSA 201312-01 at
by GLSA coordinator Chris Reffett (creffett).