CVE-2021-35942: The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations. Unreleased patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c
Package list is empty or all packages have requested keywords.
fixed in Gentoo 2.33 patchset 5
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=db5361e1e42ef0dfb4d6eda6648cae61bea60edf commit db5361e1e42ef0dfb4d6eda6648cae61bea60edf Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 14:29:01 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 14:33:57 +0000 [ GLSA 202208-24 ] GNU C Library: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803437 Bug: https://bugs.gentoo.org/807935 Bug: https://bugs.gentoo.org/831096 Bug: https://bugs.gentoo.org/831212 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-24.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+)
GLSA done, all done.