Your submission was sent successfully! Close

CVE-2016-1234

Published: 1 June 2016

Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.

From the Ubuntu security team

Alexander Cherepanov discovered a stack-based buffer overflow in the glob implementation of the GNU C Library. An attacker could use this to specially craft a directory layout and cause a denial of service.

Notes

AuthorNote
sbeattie
see glibc bug for reproducer
requires malicious fs layout
Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
eglibc
Launchpad, Ubuntu, Debian
precise
Released (2.15-0ubuntu10.16)
trusty
Released (2.19-0ubuntu6.10)
upstream Needs triage

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

glibc
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream
Released (2.24)
wily Ignored
(reached end-of-life)
xenial
Released (2.23-0ubuntu6)
yakkety Not vulnerable
(2.24-0ubuntu1)
zesty Not vulnerable
(2.24-0ubuntu1)
Patches:
upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea