Bug 599070 (CVE-2009-4880)

Summary: CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: drepper, jakub, schwab, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://securityreason.com/achievement_securityalert/67
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-04 19:08:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-06-02 15:59:30 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4880 to
the following vulnerability:

Multiple integer overflows in the strfmon implementation in the GNU C
Library (aka glibc or libc6) 2.10.1 and earlier allow
context-dependent attackers to cause a denial of service (memory
consumption or application crash) via a crafted format string, as
demonstrated by a crafted first argument to the money_format function
in PHP, a related issue to CVE-2008-1391.

References:
  [1] http://securityreason.com/achievement_securityalert/67
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=524671
  [3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
  [4] http://sourceware.org/git/?p=glibc.git;a=commit;h=199eb0de8d673fb23aa127721054b4f1803d61f3
  [5] http://www.ubuntu.com/usn/USN-944-1
  [6] http://www.securityfocus.com/bid/36443
  [7] http://secunia.com/advisories/39900
  [8] http://www.vupen.com/english/advisories/2010/1246

Public PoC (from [3]):

[cx@localhost ~]$ php -r 'money_format("%.1073741821i",1);'
Segmentation fault
Comment 5 Tomas Hoger 2011-02-04 19:08:58 UTC 
More details on this bug can be found in upstream bugzilla #10600 or in Fedora bug #496386.

Both issues affecting glibc and reported in SecurityReason Advisory 67 are corrected in Red Hat Enterprise Linux 6 glibc packages.

Statement:

Red Hat does not consider this bug to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.