Glibc Multiple Bugs Allow FORTIFY_SOURCE Protection Mechanism to Be Bypassed
|
|
SecurityTracker Alert ID: 1027280 |
|
SecurityTracker URL: http://securitytracker.com/id/1027280
|
|
CVE Reference:
CVE-2012-3404, CVE-2012-3405, CVE-2012-3406
(Links to External Site)
|
Date: Jul 18 2012
|
Impact:
Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
Several vulnerabilities were reported in Glibc. A remote or local user can bypass format string protection to execute arbitrary code.
If a format string flaw exists in the target application, a remote or local user can trigger a buffer allocation error [CVE-2012-3404], memory initialization error [CVE-2012-3405], or access control error [CVE-2012-3406] in the FORTIFY_SOURCE format string protection mechanism and bypass the protection ostensibly provided by the mechanism to exploit the format string flaw.
|
Impact:
A remote or local user may be able to execute arbitrary code on the target system.
|
Solution:
The vendor has issued a source code fix for CVE-2012-3404 and CVE-2012-3405, available at:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=84a4211850e3d23a9d3a4f3b294752a3b30bc0ff
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a4647e727a2a52e1259474c13f4b13288938bed4
|
Vendor URL: www.gnu.org/software/libc/ (Links to External Site)
|
Cause:
Access control error, Boundary error
|
Underlying OS:
Linux (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
