Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576726 (CVE-2016-1234) - <sys-libs/glibc-2.23-r3: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption
Summary: <sys-libs/glibc-2.23-r3: glob: buffer overflow with GLOB_ALTDIRFUNC due to in...
Alias: CVE-2016-1234
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on: 604808
  Show dependency tree
Reported: 2016-03-07 21:21 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2017-06-19 17:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-03-07 21:21:19 UTC
From URL:

Alexander Cherepanov discovered that the glob implementation in glibc does not correctly handle overlong names in struct dirent buffers when GLOB_ALTDIRFUNC is used.
Comment 1 Agostino Sarubbo gentoo-dev 2016-03-08 15:10:17 UTC
Unless I'm missing something the whiteboard is just upstream.
Comment 2 SpanKY gentoo-dev 2016-11-12 06:27:23 UTC
should be fixed in glibc-2.23-r3.  will need some time to bake in ~arch.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-13 14:11:17 UTC
@ Maintainer(s): One month later, can we now stabilize =sys-libs/glibc-2.23-r3?
Comment 4 SpanKY gentoo-dev 2016-12-14 16:28:11 UTC
i don't think we need to rush this.  wait until the end of Dec and it should be fine if there are no new issues.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-02 16:34:19 UTC
@ Arches,

please test and mark stable: =sys-libs/glibc-2.23-r3
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-01-05 08:41:16 UTC
amd64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-05 12:36:42 UTC
Stable on alpha.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-06 10:06:49 UTC
Stable for HPPA.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-06 14:33:14 UTC
Stable for PPC64.
Comment 10 Markus Meier gentoo-dev 2017-01-08 18:27:51 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-26 09:06:58 UTC
ia64 stable
Comment 12 Michael Weber (RETIRED) gentoo-dev 2017-02-10 13:32:59 UTC
ppc stable
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-18 19:12:43 UTC
x86 stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:40:04 UTC
This issue was resolved and addressed in
 GLSA 201702-11 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-19 12:41:46 UTC
Re-opening for remaining arch.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2017-02-19 14:35:07 UTC
Setting back to stable - sparc please complete stabilization (A2 = 5 Day Stabilization - Start Date: 2017-01-02
Comment 17 SpanKY gentoo-dev 2017-03-07 06:05:31 UTC
sparc is done now
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-07 13:07:52 UTC
@ Maintainer(s): Please cleanup and drop <sys-libs/glibc-2.23-r3 or remove keywords/apply masks to indicate a security problem.
Comment 19 Matthias Maier gentoo-dev 2017-06-19 16:30:18 UTC
commit aa57c4a8ee21fa208a21388c1291260c1dd8c389
Author: Matthias Maier <>
Date:   Thu Jun 8 11:20:38 2017 -0500

    profiles: Mask all glibc versions older than 2.23
Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-19 17:13:49 UTC
Repository is clean, all done.