CVE-2013-4788
Published: 4 October 2013
The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address.
Notes
| Author | Note |
|---|---|
| jdstrand | PoC in linux-distros@ (tested on Ubuntu 12.04, 13.04 and Debian 7.1) Only statically compiled executables, dynamic not affected upstream patch not available as of 2013-07-12 |
| seth-arnold | PTR MANGLE is a security-hardening feature; exploiting this flaw requires a flaw in a statically linked executable that allows write access to one of the types of pointers that is mangled. Fixing the consequences of this flaw requires rebuilding all security-sensitive statically linked executables. |
| mdeslaur | fix for this was reverted in saucy as it was causing the ARM testuite to fail. |
| sbeattie | fix was re-enabled in trusty with the addition of the patches/any/cvs-CVE-2013-4788-static-ptrguard-arm.diff patch. |
| mdeslaur | we will not be fixing this issue for earlier releases. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
eglibc Launchpad, Ubuntu, Debian |
lucid |
Ignored
|
| precise |
Ignored
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Ignored
|
|
| trusty |
Not vulnerable
(2.18-0ubuntu1)
|
|
| upstream |
Needed
|
|
|
Patches: other: http://hmarco.org/bugs/patches/ptr_mangle-eglibc-2.17.patch upstream: https://sourceware.org/git/?p=glibc.git;a=commit;h=c61b4d41c9647a54a329aa021341c0eb032b793e upstream: https://sourceware.org/git/?p=glibc.git;a=commit;h=0b1f8e35640f5b3f7af11764ade3ff060211c309 upstream: https://sourceware.org/git/?p=glibc.git;a=commit;h=5ebbff8fd1529aec13ac4d2906c1a36f3e738519 |
||