Maksymilian Arciemowicz asked me to try to reproduce this on Gentoo, both Linux and BSD, because some other Linux distribution is apparently vulnerable to this issue. Could someone try the example codes from $URL on Gentoo/BSD (do we track security problems here anyway?) and stable Gentoo/Linux? I've tried on latest ~amd64 w/ linux-2.6.27 and glibc-2.9_p20081201 and all examples exited with exit code 0 immediately (i.e. no crash and no hang). Still, I think better safe than sorry, so please test on stable Linux as well. Whoever marked the CVE as NOTFORUS in SVN w/ comment "libc in NetBSD": The advisory says that probably all *BSD libcs are vulnerable, so FBSD probably as well... and Gentoo/FBSD is not considered dead, is it?
(In reply to comment #0) > Could someone try the example codes from $URL on Gentoo/BSD (do we track > security problems here anyway?) and stable Gentoo/Linux? > Crash and hangs on Gentoo/FreeBSD. It is fixed upstream on FreeBSD-CURRENT [1]. Patch applied and tested on gentoo-bsd overlay [2]. > well... and Gentoo/FBSD is not considered dead, is it? > Gentoo/FBSD is not dead, yet the version currently in portage is (or will be soon) pretty much deprecated (6.2 is way too old and getting 6.x to work with gcc4 was a PITA). Consider this fixed (for BSD) when 7.x hits the tree (which will be soonish). [1]http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/strfmon.c.diff?r2=1.14.12.1&r1=1.19&f=u [2]http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-bsd.git;a=commitdiff
(In reply to comment #1) > Consider this fixed (for BSD) when 7.x hits the tree (which > will be soonish). > 7.1 packages are in the tree, so I guess this is fixed. please reopen if I missed something.
