Date: Wed, 04 Feb 2015 00:17:05 +0100 From: Gsunde Orangen <gsunde.orangen@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: heap buffer overflow in glibc swscanf Hi Paul, all, test case also fails on 2.18 and 2.17, tested on openSUSE. I assume this bug was introduced by the fix for https://sourceware.org/bugzilla/show_bug.cgi?id=13138 Thus glibc 2.15ff are vulnerable. Gsunde On Sun, 1 Feb 2015 11:22:54 -0800, Paul Pluzhnikov wrote: > Greetings, > > https://sourceware.org/bugzilla/show_bug.cgi?id=16618 > is almost 1 year old, and still not fixed in glibc trunk. > > I have verified that the test case from it fails with libc6 > 2.19-0ubuntu6.5 and current trunk glibc. > > Don't know if it's exploitable, but it seems like it could easily be. > > (I'll see if I can fix it in the mean time.) > > Thanks, > -- > Paul Pluzhnikov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.