This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12671] multiple vulnerabilities in netdb.h/aliases.h/glob.h (CVE-2012-6686)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 24 Feb 2015 11:08:32 +0000
- Subject: [Bug libc/12671] multiple vulnerabilities in netdb.h/aliases.h/glob.h (CVE-2012-6686)
- Auto-submitted: auto-generated
- References: <bug-12671-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=12671
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|multiple vulnerabilities in |multiple vulnerabilities in
|netdb.h/aliases.h/glob.h |netdb.h/aliases.h/glob.h
| |(CVE-2012-6686)
Alias| |CVE-2012-6686
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Tomas Hoger identified the following commits, quoting:
âUpstream has fixed couple of unbound alloca uses which can lead to program
crashes if excessively long inputs are passed to certain functions.
http://sourceware.org/bugzilla/show_bug.cgi?id=12671
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f2962a71959fd254a7a223437ca4b63b9e81130c
covers cases that can be triggered via getaddrinfo, getservbyname* and glob.
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=34a9094f49241ebb72084c536cf468fd51ebe3ec
covers other alloca uses inside getaddrinfo.â
These commits went into glibc 2.14.
Debian identified another commit, which went into glibc 2.14.1 only:
https://sourceware.org/git/?p=glibc.git;a=commit;h=c8fc0c91695b1c7003c7170861274161f9224817
Source for the CVE mapping is here:
https://marc.info/?l=oss-security&m=142255034710625&w=2
--
You are receiving this mail because:
You are on the CC list for the bug.