Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or
libc6) 2.13 and earlier allows context-dependent attackers to cause a denial
of service (application crash) via a long UTF8 string that is used in an
fnmatch call with a crafted pattern argument, a different vulnerability than
Can we go stable with a 2.13 version? Please also take into account the other 2.13-ish issues we just filed.
2.13 is stable since a long time.
@security: ok to glsa for it?
I believe this may have been addressed via , post 2.13 release, and I don't see any patches in 2.13-r4 that address this?
@toolchain, would you agree? If so, how do you think we should move this forward?
i think Agostino just misread the summary (<2.13 vs <=2.13). it's fixed in glibc-2.14, and i'll be posting that for stabilization soonish, so probably best to just let it filter that route.
(In reply to comment #3)
> i think Agostino just misread the summary (<2.13 vs <=2.13). it's fixed in
> glibc-2.14, and i'll be posting that for stabilization soonish, so probably
> best to just let it filter that route.
Thanks for the clarification Mike.
The stabilization will be done in bug 411903.
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in
GLSA 201312-01 at http://security.gentoo.org/glsa/glsa-201312-01.xml
by GLSA coordinator Chris Reffett (creffett).