Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611344 (CVE-2016-10228) - <sys-libs/glibc-2.31-r7: iconv program can hang when invoked with the -c option
Summary: <sys-libs/glibc-2.31-r7: iconv program can hang when invoked with the -c option
Status: RESOLVED FIXED
Alias: CVE-2016-10228
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: glibc-2.32-stable 759640
Blocks:
  Show dependency tree
 
Reported: 2017-03-01 23:38 UTC by Thomas Deutschmann
Modified: 2021-01-25 00:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-03-01 23:38:04 UTC
The iconv program (not the iconv function) provided by glibc can hang (enter an infinite loop) when invoked with the -c option and an invalid multi-byte sequence is encountered in the input. See $URL for more details.
Comment 1 Larry the Git Cow gentoo-dev 2020-09-25 19:42:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af0c4db7d53eafd2a797c082f85662c945ad01de

commit af0c4db7d53eafd2a797c082f85662c945ad01de
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2020-09-25 19:42:22 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2020-09-25 19:42:40 +0000

    sys-libs/glibc: Re-keyword 2.31 patchlevel 9
    
    This contains the following fixes:
    * Rewrite iconv option parsing [BZ #19519]
    * powerpc: Fix incorrect cache line size load in memset (bug 26332)
    * nptl: Zero-extend arguments to SETXID syscalls [BZ #26248]
    * Disable warnings due to deprecated libselinux symbols used by nss and nscd
    
    Bug: https://bugs.gentoo.org/736904
    Bug: https://bugs.gentoo.org/611344
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 sys-libs/glibc/glibc-2.31-r7.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 John Helmert III gentoo-dev Security 2021-01-09 21:32:04 UTC
Now that 2.32-r3 is stabilized, is it possible to cleanup the vulnerable versions here?
Comment 3 Sam James archtester gentoo-dev Security 2021-01-10 00:11:00 UTC Comment hidden (obsolete)
Comment 4 Sam James archtester gentoo-dev Security 2021-01-10 00:11:42 UTC Comment hidden (obsolete)
Comment 5 Larry the Git Cow gentoo-dev 2021-01-22 21:33:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35d4ea74c32998a497e695559fc534bc1a324b88

commit 35d4ea74c32998a497e695559fc534bc1a324b88
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-01-22 21:33:10 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-01-22 21:33:10 +0000

    package.mask: Extend glibc mask
    
    Bug: https://bugs.gentoo.org/611344
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Andreas K. Hüttel gentoo-dev 2021-01-22 21:34:48 UTC
All affected versions are masked. No cleanup (toolchain). Please proceed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:05:55 UTC
This issue was resolved and addressed in
 GLSA 202101-20 at https://security.gentoo.org/glsa/202101-20
by GLSA coordinator Aaron Bauman (b-man).