Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646490 (CVE-2018-6485) - <sys-libs/glibc-{2.25-r11,2.26-r6}: Integer overflow vulnerability in memalign functions
Summary: <sys-libs/glibc-{2.25-r11,2.26-r6}: Integer overflow vulnerability in memalig...
Status: RESOLVED FIXED
Alias: CVE-2018-6485
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: CVE-2018-6551
Blocks:
  Show dependency tree
 
Reported: 2018-02-03 15:07 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-04 01:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-03 15:07:06 UTC
CVE-2018-6485 (https://nvd.nist.gov/vuln/detail/CVE-2018-6485):
  An integer overflow in the implementation of the posix_memalign in memalign
  functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could
  cause these functions to return a pointer to a heap area that is too small,
  potentially leading to heap corruption.


@Maintainers please call for stabilization when ready, thank you
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2018-02-08 21:59:37 UTC
Fixed upstream in 2.27
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2018-02-08 22:07:32 UTC
Fix added to gentoo/2.26 branch, will be in patchlevel 6
Comment 3 Larry the Git Cow gentoo-dev 2018-02-08 23:50:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa2244fedca8e63902ba8d879dbf0f4d9548d754

commit fa2244fedca8e63902ba8d879dbf0f4d9548d754
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2018-02-08 23:49:17 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2018-02-08 23:49:40 +0000

    sys-libs/glibc: Revbump 2.26-r6 with next patchset (patchlevel 6)
    
    10 test failures need investigating:
    ===
    FAIL: elf/tst-prelink-cmp
    XPASS: elf/tst-protected1a
    XPASS: elf/tst-protected1b
    FAIL: malloc/tst-malloc-tcache-leak
    FAIL: math/test-float128-finite-tgamma
    FAIL: math/test-float128-finite-trunc
    FAIL: math/test-float128-tgamma
    FAIL: math/test-float128-trunc
    FAIL: math/test-ifloat128-tgamma
    FAIL: math/test-ifloat128-trunc
    FAIL: misc/tst-ttyname
    UNSUPPORTED: nptl/test-cond-printers
    UNSUPPORTED: nptl/test-condattr-printers
    UNSUPPORTED: nptl/test-mutex-printers
    UNSUPPORTED: nptl/test-mutexattr-printers
    UNSUPPORTED: nptl/test-rwlock-printers
    UNSUPPORTED: nptl/test-rwlockattr-printers
    FAIL: nss/tst-nss-files-hosts-multi
    Summary of test results:
         10 FAIL
       4113 PASS
          6 UNSUPPORTED
         29 XFAIL
          2 XPASS
    ===
    
    Bug: https://bugs.gentoo.org/646492
    Bug: https://bugs.gentoo.org/646490
    Bug: https://bugs.gentoo.org/641644
    Bug: https://bugs.gentoo.org/644278
    Package-Manager: Portage-2.3.21, Repoman-2.3.6

 sys-libs/glibc/Manifest             |   1 +
 sys-libs/glibc/glibc-2.26-r6.ebuild | 836 ++++++++++++++++++++++++++++++++++++
 2 files changed, 837 insertions(+)}
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2018-02-09 22:35:24 UTC
Fix added to gentoo/2.25 branch, will be in patchlevel 14
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2018-04-04 01:55:49 UTC
This issue was resolved and addressed in
 GLSA 201804-02 at https://security.gentoo.org/glsa/201804-02
by GLSA coordinator Aaron Bauman (b-man).