Bug 794763

Summary: glibc: F_S format string protection bypass via "nargs" integer overflow
Product: [Other] Security Response Reporter: Stefan Cornelius <scorneli>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fweimer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20101117,reported=20120214,source=internet,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-4/glibc=wontfix,rhel-5/glibc=affected,rhel-6/glibc=affected,fedora-all/glibc=affected,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-17 10:48:02 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Stefan Cornelius 2012-02-17 10:08:05 EST
In the Phrack article "A Eulogy for Format Strings", a researcher using nickname "Captain Planet" reported an integer overflow flaw in the format string protection mechanism offered by FORTIFY_SOURCE. A remote attacker could provide a specially crafted executable, leading to FORTIFY_SOURCE format string protection mechanism bypass, when executed.

References:
http://www.phrack.org/issues.html?issue=67&id=9#article

Upstream bug and Kees Cook's proposed patches:
  http://sourceware.org/bugzilla/show_bug.cgi?id=13656
  http://sourceware.org/ml/libc-alpha/2012-02/msg00023.html
  http://sourceware.org/ml/libc-alpha/2012-02/msg00012.html
  http://sourceware.org/ml/libc-alpha/2012-02/msg00073.html
Comment 1 Stefan Cornelius 2012-02-17 10:48:02 EST

*** This bug has been marked as a duplicate of bug 794766 ***