Date: Wed, 20 Jul 2016 21:31:28 -0700 From: Lucian Cojocar <lucian@...ocar.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: uclibc-ng (and uclibc): ARM arch: code execution On 06/29/2016 12:13 AM, Lucian Cojocar wrote: > Hi all, > > u-clibc and uclibc-ng is used in several projects[4, 5]. > > As described here, an attacker that controls the length parameter of > the `memset' can also control the value of the PC register. The issue is > similar to CVE-2011-2702. A patch has been proposed for uclibc-ng. A > denial of service proof of concept is available. > This was fixed in version 1.0.16 of uclibc-ng  http://mailman.uclibc-ng.org/pipermail/devel/2016-July/001067.html Lucian > > http://repo.or.cz/uclibc-ng.git/commit/e3848e3dd64a8d6437531488fe341354bc02eaed > http://article.gmane.org/gmane.comp.lib.uclibc-ng/27 > http://mailman.uclibc-ng.org/pipermail/devel/2016-May/000890.html > https://www.uclibc.org/products.html > http://www.uclibc-ng.org/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.