Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484646 (CVE-2013-4332) - <sys-libs/glibc-2.19-r1: Three integer overflows in glibc memory allocator (CVE-2013-4332)
Summary: <sys-libs/glibc-2.19-r1: Three integer overflows in glibc memory allocator (C...
Alias: CVE-2013-4332
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cleanup]
: 494444 (view as bug list)
Depends on: 518364
  Show dependency tree
Reported: 2013-09-12 05:11 UTC by Agostino Sarubbo
Modified: 2015-03-08 14:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-12 05:11:26 UTC
From ${URL} :

I recently discovered three integer overflow issues in the glibc
memory allocator functions pvalloc, valloc and
posix_memalign/memalign/aligned_alloc. These issues cause a large
allocation size to wrap around and cause a wrong sized allocation and
heap corruption. The issues are fixed in glibc mainline.

The relevant glibc bugzilla entries are here:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2013-10-03 04:28:45 UTC
Number 1:

Fixed in commit 1159a193696ad48ec86e5895f6dee3e539619c0e.

Number 2:

Fixed in commit 55e17aadc1ef17a1df9626fb0e9fba290ece3331.

Number 3:

Fixed in commit b73ed247781d533628b681f57257dc85882645d3.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-15 03:18:35 UTC
CVE-2013-4332 (
  Multiple integer overflows in malloc/malloc.c in the GNU C Library (aka
  glibc or libc6) 2.18 and earlier allow context-dependent attackers to cause
  a denial of service (heap corruption) via a large value to the (1) pvalloc,
  (2) valloc, (3) posix_memalign, (4) memalign, or (5) aligned_alloc
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2013-12-16 13:21:18 UTC
*** Bug 494444 has been marked as a duplicate of this bug. ***
Comment 4 Ulenrich 2013-12-30 13:16:32 UTC
My duplicate with the sampled patches from Debian~unstable source

has not only "Check for overflow."
but also a patch to "stack_chk_guard"
and a Debian proposal to not crash when a locale doesn't exist.
Comment 5 Steev Klimaszewski (RETIRED) gentoo-dev 2014-01-05 00:54:02 UTC
Shouldn't this bug block the stabilization of glibc 2.17?
Comment 6 SpanKY gentoo-dev 2014-02-18 19:23:58 UTC
i've cherry picked this into the glibc-2.18 patchset
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 03:43:39 UTC
Maintainer(s), please drop the vulnerable version(s).

Added to an existing GLSA Request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:54:11 UTC
This issue was resolved and addressed in
 GLSA 201503-04 at
by GLSA coordinator Kristian Fiskerstrand (K_F).