Bug 599095 (CVE-2009-4881) - CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
Summary: CVE-2009-4881 glibc (32-bit): Integer overflow in the __vstrfmon_l function
Alias: CVE-2009-4881
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://securityreason.com/achievement...
Whiteboard: impact=none,source=cve,reported=20100...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2010-06-02 17:02 UTC by Jan Lieskovsky
Modified: 2019-06-08 13:01 UTC (History)
4 users (show)

Clone Of:
Last Closed: 2011-02-04 19:04:14 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 10600 None None None 2019-06-10 06:17 UTC

Description Jan Lieskovsky 2010-06-02 17:02:24 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4881 to
the following vulnerability:

Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in
the strfmon implementation in the GNU C Library (aka glibc or libc6)
before 2.10.1 allows context-dependent attackers to cause a denial of
service (application crash) via a crafted format string, as
demonstrated by the %99999999999999999999n string, a related issue to

  [1] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
  [2] http://sourceware.org/git/?p=glibc.git;a=commit;h=153aa31b93be22e01b236375fb02a9f9b9a0195f
  [3] http://sources.redhat.com/bugzilla/show_bug.cgi?id=10600
  [4] http://securityreason.com/achievement_securityalert/53
  [5] http://xorl.wordpress.com/2009/04/11/cve-2008-1391-netbsd-strfmon-integer-overflow/

Public PoC (from [4]):

#include <stdio.h>
#include <monetary.h>

int main(int argc, char* argv[]){
char buff[51];
char *bux=buff;
int res;

res=strfmon(bux, 50, argv[1], "0");
return 0;

cxib# ./pln %99999999999999999999n

Comment 4 Tomas Hoger 2010-09-14 15:05:05 UTC
Related CVE-2008-1391 was tracked via bug #524671.  Related Fedora bugs with some more discussion of the both bugs - bug #496386.

Comment 5 Tomas Hoger 2011-02-04 19:04:14 UTC
For future reference, this issue is glibc variant of the *BSD libc issue that got assigned CVE-2008-1391 id, originally reported via SecurityReason Advisory 53.  The glibc variant was reported via SecurityReason Advisory 67 along with other integer overflow in the printf implementation (CVE-2009-4880, bug #599070, see upstream bugzilla #10600 for details).

Both issues affecting glibc and reported in SecurityReason Advisory 67 are corrected in Red Hat Enterprise Linux 6 glibc packages.


Red Hat does not consider this bug to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.

Note You need to log in before you can comment on or make changes to this bug.