CVE-2008-1391

Priority
Medium
Description
Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and
probably other BSD and Apple Mac OS platforms allow context-dependent
attackers to execute arbitrary code via large values of certain integer
fields in the format argument to (1) the strfmon function in
lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the
printf function, related to left_prec and right_prec.
References
Notes
 kees> originally limited to NetBSD
 kees> php -r 'money_format("%1073741821i",1);'
 kees> php -r 'money_format("%#1073741821i",1);'
 kees> php -r 'money_format("%.1073741821i",1);'
Package
Source: glibc (LP Ubuntu Debian)
Upstream:needed
Patches:
Proposed:http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/strfmon.c.diff?r1=1.6&r2=1.7
Upstream:http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d
Package
Upstream:needed
Patches:
Proposed:http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/strfmon.c.diff?r1=1.6&r2=1.7
Upstream:http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d
More Information

Valid XHTML 1.0 Strict

Updated: 2015-07-29 20:32:17 UTC (commit 9756)