CVE-2009-5029
Published: 19 December 2011
Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.
Notes
Author | Note |
---|---|
mdeslaur |
see upstream bug for possible typo in commit |
sbeattie |
lucid also needs stdint.h included to get SIZE_MAX |
jdstrand |
patch in patches/any/cvs-tzfile.diff on precise |
Priority
Status
Package | Release | Status |
---|---|---|
eglibc
Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Released
(2.11.1-0ubuntu7.10)
|
|
maverick |
Released
(2.12.1-0ubuntu10.4)
|
|
natty |
Released
(2.13-0ubuntu13.1)
|
|
oneiric |
Released
(2.13-20ubuntu5.1)
|
|
upstream |
Released
(2.13-24)
|
|
Patches:
upstream: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=97ac2654b2d831acaa18a2b018b0736245903fd2 |
||
glibc
Launchpad, Ubuntu, Debian |
hardy |
Released
(2.7-10ubuntu8.1)
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Needs triage
|
|
Patches:
upstream: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=97ac2654b2d831acaa18a2b018b0736245903fd2 |