Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 404993 (CVE-2012-0864) - <sys-libs/glibc-2.15-r3 : F_S format string protection bypass via "nargs" integer overflow (CVE-2012-0864)
Summary: <sys-libs/glibc-2.15-r3 : F_S format string protection bypass via "nargs" int...
Alias: CVE-2012-0864
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2012-02-20 09:49 UTC by Agostino Sarubbo
Modified: 2013-12-03 04:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-02-20 09:49:06 UTC
From redhat bugzilla at $URL , and phrack blog (

In the Phrack article "A Eulogy for Format Strings", a researcher using
nickname "Captain Planet" reported an integer overflow flaw in the format
string protection mechanism offered by FORTIFY_SOURCE. A remote attacker could
provide a specially crafted executable, leading to FORTIFY_SOURCE format string
protection mechanism bypass, when executed.


Upstream bug and Kees Cook's proposed patches:
Comment 1 SpanKY gentoo-dev 2012-05-18 04:43:30 UTC
this should be fixed once glibc-2.16 is released ... not really planning on back porting before that ...
Comment 2 SpanKY gentoo-dev 2012-09-25 19:41:55 UTC
ChromiumOS has been testing this patch for a while, so i just applied it to our glibc-2.15-r3 as it should be "safe"
Comment 3 Agostino Sarubbo gentoo-dev 2012-09-25 20:49:51 UTC
(In reply to comment #2)
> ChromiumOS has been testing this patch for a while, so i just applied it to
> our glibc-2.15-r3 as it should be "safe"
> 16-vfprintf-args.patch?rev=1.1

So we will stabilize 2.15-r3 or 2.16 ?
Comment 4 SpanKY gentoo-dev 2012-09-25 20:51:21 UTC
considering people are dragging their heels on 2.16, we'll have to stabilize 2.15-r3 first
Comment 5 Agostino Sarubbo gentoo-dev 2012-09-25 20:54:09 UTC
(In reply to comment #4)
> considering people are dragging their heels on 2.16, we'll have to stabilize
> 2.15-r3 first

Ok, fixed the summary. Do you plan to wait a bit before stabilize?
Comment 6 SpanKY gentoo-dev 2012-09-25 21:00:07 UTC
(In reply to comment #5)

i think the normal ~30 days is fine
Comment 7 Agostino Sarubbo gentoo-dev 2012-10-18 19:40:03 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Agostino Sarubbo gentoo-dev 2012-10-18 19:42:32 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-10-18 19:43:14 UTC
x86 stable
Comment 10 Anthony Basile gentoo-dev 2012-10-20 21:51:19 UTC
stable ppc ppc64 with a complete emerge -e @system
Comment 11 Anthony Basile gentoo-dev 2012-10-21 17:18:09 UTC
stable on arm with complete emerge -e @system
Comment 12 SpanKY gentoo-dev 2012-10-31 19:18:29 UTC
i've marked alpha/ia64/s390 stable, and listed -hppa since that isn't going to get fixed any time soon (waiting on upstream)
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2012-11-01 17:22:31 UTC
sparc stable and sh can't do due to bug 415591
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-01 23:55:54 UTC
Thanks, everyone.

Adding to existing GLSA request.
Comment 15 Mark Loeser (RETIRED) gentoo-dev 2013-02-22 23:31:38 UTC
toolchain done
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:36:21 UTC
CVE-2012-0864 (
  Integer overflow in the vfprintf function in stdio-common/vfprintf.c in
  glibc 2.14 and other versions allows context-dependent attackers to bypass
  the FORTIFY_SOURCE protection mechanism, conduct format string attacks, and
  write to arbitrary memory via a large number of arguments.
Comment 17 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-25 23:40:26 UTC
@maintainers: please clean affected versions so we can ship the GLSA.
Comment 18 Ryan Hill (RETIRED) gentoo-dev 2013-10-30 00:13:38 UTC
Affected versions will not be removed so go ahead.
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 03:49:02 UTC
If we must.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:14:43 UTC
This issue was resolved and addressed in
 GLSA 201312-01 at
by GLSA coordinator Chris Reffett (creffett).