Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 21 Oct 2017 19:19:46 +0100
From: Eddie Chapman <>
Subject: CVE-2017-15670, CVE-2017-15671 glibc: Buffer overflow and memory leak
 in glob with GLOB_TILDE

Just a heads up for anyone around over the weekend ...

== CVE-2017-15670 ==
"The GNU C Library (aka glibc or libc6) before 2.27 contains an 
off-by-one error leading to a heap-based buffer overflow in the glob 
function in glob.c, related to the processing of home directories using 
the ~ operator followed by a long string."
"It is possible that an attacker might use this to escalate his 
privileges or execute code."

Upstream patch:

== CVE-2017-15671 ==
"The glob function in glob.c in the GNU C Library (aka glibc or libc6) 
before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated 
memory when processing the ~ operator with a long user name, potentially 
leading to a denial of service (memory leak)."

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ