Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1391 to the following vulnerability: Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1391 https://bugzilla.novell.com/show_bug.cgi?id=375315 http://www.securityfocus.com/bid/36443/references http://securityreason.com/achievement_securityalert/67
Statement: Red Hat does not consider this to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.
Few more links for posterity: Old and new "research advisory" for this problem: http://securityreason.com/achievement_securityalert/53 http://securityreason.com/achievement_securityalert/67 Upstream bug reports: http://sourceware.org/bugzilla/show_bug.cgi?id=9707 http://sourceware.org/bugzilla/show_bug.cgi?id=10600
glibc variants of this *BSD libc issues reported in SecurityReason Advisory 67 got separate CVE ids CVE-2009-4881 (bug #599095) and CVE-2009-4880 (bug #599070).