CVE-2011-1659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1659): Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071. Can we go stable with a 2.13 version? Please also take into account the other 2.13-ish issues we just filed.
2.13 is stable since a long time. @security: ok to glsa for it?
I believe this may have been addressed via [1], post 2.13 release, and I don't see any patches in 2.13-r4 that address this? @toolchain, would you agree? If so, how do you think we should move this forward? [1] http://sourceware.org/git/?p=glibc.git;a=commit;h=8126d90480fa3e0c5c5cd0d02cb1c93174b45485
i think Agostino just misread the summary (<2.13 vs <=2.13). it's fixed in glibc-2.14, and i'll be posting that for stabilization soonish, so probably best to just let it filter that route.
(In reply to comment #3) > i think Agostino just misread the summary (<2.13 vs <=2.13). it's fixed in > glibc-2.14, and i'll be posting that for stabilization soonish, so probably > best to just let it filter that route. Thanks for the clarification Mike. The stabilization will be done in bug 411903.
Thanks, everyone. GLSA request filed.
toolchain done
This issue was resolved and addressed in GLSA 201312-01 at http://security.gentoo.org/glsa/glsa-201312-01.xml by GLSA coordinator Chris Reffett (creffett).