CVE-2008-1391

Priority
Medium
Description
Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and
probably other BSD and Apple Mac OS platforms allow context-dependent
attackers to execute arbitrary code via large values of certain integer
fields in the format argument to (1) the strfmon function in
lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the
printf function, related to left_prec and right_prec.
References
Notes
kees> originally limited to NetBSD
kees> php -r 'money_format("%1073741821i",1);'
kees> php -r 'money_format("%#1073741821i",1);'
kees> php -r 'money_format("%.1073741821i",1);'
Package
Source: glibc (LP Ubuntu Debian)
Upstream:needed
Ubuntu 8.04 LTS (Hardy Heron):released (2.7-10ubuntu6)
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Patches:
Proposed:http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/strfmon.c.diff?r1=1.6&r2=1.7
Upstream:http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d
Package
Upstream:needed
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (2.11.1-0ubuntu5)
Patches:
Proposed:http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/strfmon.c.diff?r1=1.6&r2=1.7
Upstream:http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d
More Information

Valid XHTML 1.0 Strict

Updated: 2012-06-01 15:18:41 UTC (commit 5347)