Bug 599070 - (CVE-2009-4880) CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implementation
CVE-2009-4880 glibc (32-bit): Multiple integer overflows in the printf implem...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2010-06-02 11:59 EDT by Jan Lieskovsky
Modified: 2016-03-04 07:39 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-02-04 14:08:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 10600 None None None Never

  None (edit)
Description Jan Lieskovsky 2010-06-02 11:59:30 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4880 to
the following vulnerability:

Multiple integer overflows in the strfmon implementation in the GNU C
Library (aka glibc or libc6) 2.10.1 and earlier allow
context-dependent attackers to cause a denial of service (memory
consumption or application crash) via a crafted format string, as
demonstrated by a crafted first argument to the money_format function
in PHP, a related issue to CVE-2008-1391.

  [1] http://securityreason.com/achievement_securityalert/67
  [2] https://bugzilla.redhat.com/show_bug.cgi?id=524671
  [3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
  [4] http://sourceware.org/git/?p=glibc.git;a=commit;h=199eb0de8d673fb23aa127721054b4f1803d61f3
  [5] http://www.ubuntu.com/usn/USN-944-1
  [6] http://www.securityfocus.com/bid/36443
  [7] http://secunia.com/advisories/39900
  [8] http://www.vupen.com/english/advisories/2010/1246

Public PoC (from [3]):

[cx@localhost ~]$ php -r 'money_format("%.1073741821i",1);'
Segmentation fault
Comment 5 Tomas Hoger 2011-02-04 14:08:58 EST
More details on this bug can be found in upstream bugzilla #10600 or in Fedora bug #496386.

Both issues affecting glibc and reported in SecurityReason Advisory 67 are corrected in Red Hat Enterprise Linux 6 glibc packages.


Red Hat does not consider this bug to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.

Note You need to log in before you can comment on or make changes to this bug.