[Secure-testing-commits] r14389 - data/CVE

Giuseppe Iuculano derevko-guest at alioth.debian.org
Sat Apr 3 13:20:58 UTC 2010


Author: derevko-guest
Date: 2010-04-03 13:20:56 +0000 (Sat, 03 Apr 2010)
New Revision: 14389

Modified:
   data/CVE/list
Log:
CVE-2008-1391: glibc is affected

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-04-03 12:53:25 UTC (rev 14388)
+++ data/CVE/list	2010-04-03 13:20:56 UTC (rev 14389)
@@ -29571,6 +29571,13 @@
 CVE-2008-1391 (Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, ...)
 	- kfreebsd-6 <not-affected> (see bug #483152)
 	- kfreebsd-7 <not-affected> (see bug #483152)
+	- glibc <removed> (low)
+	- eglibc 2.11-0exp6 (low)
+	[lenny] - glibc <no-dsa> (minor issue)
+	NOTE: not sure if it is a security bug, an attacker should not be able to change the format string
+	NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d
+	NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=10600
+	NOTE: PoC php -r 'money_format("%.1073741821i",1);' I can reproduce on 32bit, not 64bit
 CVE-2008-1390 (The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before ...)
 	- asterisk 1:1.4.19.1~dfsg-1 (low)
 	[etch] - asterisk <not-affected> (Only 1.4.x affected)




More information about the Secure-testing-commits mailing list