Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 393477 (CVE-2009-5029) - <sys-libs/glibc-2.14.1-r3 : "__tzfile_read()" Buffer Overflow Vulnerability (CVE-2009-5029)
Summary: <sys-libs/glibc-2.14.1-r3 : "__tzfile_read()" Buffer Overflow Vulnerability (...
Alias: CVE-2009-5029
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on: 411903
  Show dependency tree
Reported: 2011-12-07 08:42 UTC by Agostino Sarubbo
Modified: 2013-12-03 04:14 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-12-07 08:42:03 UTC
From secunia security advisory at $URL:

The vulnerability is caused due to an error within the "__tzfile_read()" function (time/tzfile.c) and can be exploited to cause a heap-based buffer overflow via a specially crafted timezone file.

Successful exploitation may allow the execution of arbitrary code but requires that a malicious timezone file is loaded (e.g. by uploading it into the chroot of an FTP server).

The vulnerability is confirmed in version 2.14.1. Other versions may also be affected.

There is no patch(es) atm, so unpatched.
Comment 1 SpanKY gentoo-dev 2012-01-01 09:47:58 UTC
i've included the upstream fix in glibc-2.14.1-r2.  but that isn't ready for stabilizing yet.  not sure how important this is in reality to exploit (seems fairly unlikely).
Comment 2 Agostino Sarubbo gentoo-dev 2012-04-17 15:08:19 UTC
the stabilization will be done in bug 411903
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-08-16 04:55:17 UTC
Thanks, everyone. GLSA request filed.
Comment 4 Mark Loeser (RETIRED) gentoo-dev 2013-02-22 23:30:37 UTC
toolchain done
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:29:51 UTC
CVE-2009-5029 (
  Integer overflow in the __tzfile_read function in glibc before 2.15 allows
  context-dependent attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a crafted timezone (TZ) file, as
  demonstrated using vsftpd.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:14:41 UTC
This issue was resolved and addressed in
 GLSA 201312-01 at
by GLSA coordinator Chris Reffett (creffett).