Buffer overflow problem in glibc [LWN.net]

Package(s):

glibc glibc/shlibs, glibc, nscd

CVE #(s):

CAN-2001-0886

Created:

May 21, 2002

Updated:

July 14, 2002

Description:

The glibc filename globbing code has a buffer overflow problem. For those who are interested, Global InterSec LLC has provided a detailed description of this vulnerability. This problem was first reported by LWN on December 20th.

Alerts:

Trustix	2001-0029	2001-12-19
SuSE	SuSE-SA:2001:046	2001-12-24
Slackware	sl-1010856829	2002-01-12
Red Hat	RHSA-2001:160-09	2001-12-14
Mandrake	MDKSA-2001:095	2001-12-19
Mandrake	MDKSA-2001:095-1	2002-01-08
Immunix	IMNX-2001-70-037-01	2001-12-19
EnGarde	ESA-20011217-01	2001-12-17
Debian	DSA-103-1	2002-01-13
Conectiva	CLA-2002:447	2002-01-03

(Log in to post comments)

Is this really the problem you reported on December 20?

Posted Jul 15, 2002 10:04 UTC (Mon) by rsidd (subscriber, #2582) [Link]

I'm slightly confused. Reading the Gentoo alert, this seems to be a bug in the DNS resolver, akin to the one found in the BSD libc's recently, but unrelated to the filename globbing problem you reported on Dec 20 (and which should be fixed in gentoo, which ships with glibc 2.2.5). If it is related, perhaps you could clarify it?

Re: Is this really the problem you reported on December 20?

Posted Jul 15, 2002 12:39 UTC (Mon) by DeletedUser2583 ((unknown), #2583) [Link]

I can't see the connection either, and I find it rather unlikely that Gentoo has an unpatched hole that has been known and fixed with "all the other distributions" for half a year. (Especially since Gentoo has a rather new glibc, which *should* have fixed that problem by now)