touch-packages team mailing list archive

Thread
Date

[Bug 1048203] Re: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Bug Watch Updater <1048203@xxxxxxxxxxxxxxxxxx>
Date: Thu, 12 Mar 2015 11:34:42 -0000
Reply-to: Bug 1048203 <1048203@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: gentoo
       Status: Unknown => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1048203

Title:
  (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer
  overflow

Status in The GNU C Library:
  Fix Released
Status in eglibc package in Ubuntu:
  Fix Released
Status in eglibc package in Debian:
  Fix Released
Status in Fedora:
  Unknown
Status in Gentoo Linux:
  Fix Released

Bug description:
  An integer overflow, leading to buffer overflow flaw was found in the
  way the implementation of strcoll() routine, used to compare two
  strings based on the current locale, of glibc, the GNU libc libraries,
  performed calculation of memory requirements / allocation, needed for
  storage of the strings. If an application linked against glibc was
  missing an application-level sanity checks for validity of strcoll()
  arguments and accepted untrusted input, an attacker could use this
  flaw to cause the particular application to crash or, potentially,
  execute arbitrary code with the privileges of the user running the
  application.

  Upstream bug report (including reproducer):
  [1] http://sourceware.org/bugzilla/show_bug.cgi?id=14547

To manage notifications about this bug go to:
https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions