Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 372985 - <dev-libs/libcgroup-0.38: intended resource restriction bypass (CVE-2011-{1006,1022})
Summary: <dev-libs/libcgroup-0.38: intended resource restriction bypass (CVE-2011-{100...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
: 417963 (view as bug list)
Depends on: 437856
  Show dependency tree
Reported: 2011-06-25 13:00 UTC by GLSAMaker/CVETool Bot
Modified: 2012-11-27 12:02 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-06-25 13:00:32 UTC
CVE-2011-1022 (
  The cgre_receive_netlink_msg function in daemon/cgrulesengd.c in cgrulesengd
  in the Control Group Configuration Library (aka libcgroup or libcg) before
  0.37.1 does not verify that netlink messages originated in the kernel, which
  allows local users to bypass intended resource restrictions via a crafted

Please punt older versions.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-07-11 23:31:57 UTC
CVE-2011-1006 (
  Heap-based buffer overflow in the parse_cgroup_spec function in
  tools/tools-common.c in the Control Group Configuration Library (aka
  libcgroup or libcg) before 0.37.1 allows local users to gain privileges via
  a crafted controller list on the command line of an application.  NOTE: it
  is not clear whether this issue crosses privilege boundaries.
Comment 2 Andreis Vinogradovs ( slepnoga ) 2012-05-28 10:50:23 UTC
New version available
relised 	2012-02-20
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-05-28 11:07:07 UTC
*** Bug 417963 has been marked as a duplicate of this bug. ***
Comment 4 Jaak Ristioja 2012-08-09 19:48:08 UTC
Why is this taking so long?!
Comment 5 Maxim Koltsov (RETIRED) gentoo-dev 2012-11-26 18:46:32 UTC
Version 0.38 was added to tree, it does not have the vulnerability. Please clean old versions.
Comment 6 Andreis Vinogradovs ( slepnoga ) 2012-11-27 07:15:08 UTC
due #437856 resolved, please drop affected version from tree
Comment 7 Sergey Popov gentoo-dev 2012-11-27 07:46:41 UTC
+  27 Nov 2012; Sergey Popov <> -libcgroup-0.37-r2.ebuild,
+  -files/libcgroup-0.37-wildcard-substitutions.patch:
+  Drop vulnerable versions, wrt bug #372985

Also, adding missing maintaining herd(proxy maintainers) to CC
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-27 12:02:51 UTC
Thanks, everyone.

Closing noglsa for ~arch only.