501196 – (CVE-2012-3404) <sys-libs/glibc-2.17: vfprintf vulnerabilities (CVE-2012-{3404,3405,3406})

Bug 501196 (CVE-2012-3404) - <sys-libs/glibc-2.17: vfprintf vulnerabilities (CVE-2012-{3404,3405,3406})

Summary: <sys-libs/glibc-2.17: vfprintf vulnerabilities (CVE-2012-{3404,3405,3406})

Status:	RESOLVED FIXED

Alias:	CVE-2012-3404

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa cleanup]
Keywords:

Depends on:
Blocks:

Reported:	2014-02-13 15:04 UTC by GLSAMaker/CVETool Bot
Modified:	2015-03-08 14:54 UTC (History)
CC List:	0 users

See Also:	https://sourceware.org/bugzilla/show_bug.cgi?id=12445 https://sourceware.org/bugzilla/show_bug.cgi?id=13446
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2014-02-13 15:04:55 UTC

CVE-2012-3406 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3406):
  The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka
  glibc) 2.5, 2.12, and probably other versions does not "properly restrict
  the use of" the alloca function when allocating the SPECS array, which
  allows context-dependent attackers to bypass the FORTIFY_SOURCE
  format-string protection mechanism and cause a denial of service (crash) or
  possibly execute arbitrary code via a crafted format string using positional
  parameters and a large number of format specifiers, a different
  vulnerability than CVE-2012-3404 and CVE-2012-3405.

CVE-2012-3405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3405):
  The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library
  (aka glibc) 2.14 and other versions does not properly calculate a buffer
  length, which allows context-dependent attackers to bypass the
  FORTIFY_SOURCE format-string protection mechanism and cause a denial of
  service (segmentation fault and crash) via a format string with a large
  number of format specifiers that triggers "desynchronization within the
  buffer size handling," a different vulnerability than CVE-2012-3404.

CVE-2012-3404 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3404):
  The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library
  (aka glibc) 2.12 and other versions does not properly calculate a buffer
  length, which allows context-dependent attackers to bypass the
  FORTIFY_SOURCE format-string protection mechanism and cause a denial of
  service (stack corruption and crash) via a format string that uses
  positional parameters and many format specifiers.


@maintainers: Are we still affected by these?

Comment 1 SpanKY gentoo-dev

2014-02-18 19:33:29 UTC

fairly certain glibc-2.17 (current stable) already contains these fixes

Comment 2 Yury German Gentoo Infrastructure

2014-02-19 03:13:44 UTC

If you can confirm we will gladly close this. Thank you.

Comment 3 SpanKY gentoo-dev

2014-06-14 22:43:40 UTC

CVE-2012-3404 & CVE-2012-3405 are def fixed in >=glibc-2.15

however, i'm not seeing CVE-2012-3406.  RedHat is still carrying a patch for it.

Comment 4 Yury German Gentoo Infrastructure

2014-06-16 03:24:30 UTC

Added to an existing GLSA request.

Still need cleanup

Same as Bug #488084
> But we need to do something about cleaning up the tree... glibc goes back to version > 2.10.1-r1 clearly vulnerable.

Comment 5 Yury German Gentoo Infrastructure

2015-03-03 02:36:07 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2015-03-08 14:54:33 UTC

This issue was resolved and addressed in
 GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).