CVE-2009-5029

Publication date 19 December 2011

Last updated 24 July 2024


Ubuntu priority

Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.

Read the notes from the security team

Status

Package Ubuntu Release Status
eglibc 11.10 oneiric
Fixed 2.13-20ubuntu5.1
11.04 natty
Fixed 2.13-0ubuntu13.1
10.10 maverick
Fixed 2.12.1-0ubuntu10.4
10.04 LTS lucid
Fixed 2.11.1-0ubuntu7.10
8.04 LTS hardy Not in release
glibc 11.10 oneiric Not in release
11.04 natty Not in release
10.10 maverick Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy
Fixed 2.7-10ubuntu8.1

Notes


mdeslaur

see upstream bug for possible typo in commit


sbeattie

lucid also needs stdint.h included to get SIZE_MAX


jdstrand

patch in patches/any/cvs-tzfile.diff on precise

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
eglibc
glibc