Bug 599070 (CVE-2009-4880) - CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
Summary: CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implem...
Status: CLOSED NOTABUG
Alias: CVE-2009-4880
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://securityreason.com/achievement...
Whiteboard: impact=none,source=cve,reported=20100...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-02 15:59 UTC by Jan Lieskovsky
Modified: 2016-03-04 12:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-04 19:08:58 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 10600 None None None Never

Description Jan Lieskovsky 2010-06-02 15:59:30 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4880 to
the following vulnerability:

Multiple integer overflows in the strfmon implementation in the GNU C
Library (aka glibc or libc6) 2.10.1 and earlier allow
context-dependent attackers to cause a denial of service (memory
consumption or application crash) via a crafted format string, as
demonstrated by a crafted first argument to the money_format function
in PHP, a related issue to CVE-2008-1391.

References:
  [1] http://securityreason.com/achievement_securityalert/67
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=524671
  [3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
  [4] http://sourceware.org/git/?p=glibc.git;a=commit;h=199eb0de8d673fb23aa127721054b4f1803d61f3
  [5] http://www.ubuntu.com/usn/USN-944-1
  [6] http://www.securityfocus.com/bid/36443
  [7] http://secunia.com/advisories/39900
  [8] http://www.vupen.com/english/advisories/2010/1246

Public PoC (from [3]):

[cx@localhost ~]$ php -r 'money_format("%.1073741821i",1);'
Segmentation fault

Comment 5 Tomas Hoger 2011-02-04 19:08:58 UTC
More details on this bug can be found in upstream bugzilla #10600 or in Fedora bug #496386.

Both issues affecting glibc and reported in SecurityReason Advisory 67 are corrected in Red Hat Enterprise Linux 6 glibc packages.

Statement:

Red Hat does not consider this bug to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.


Note You need to log in before you can comment on or make changes to this bug.