Date: Tue, 27 Nov 2018 22:04:31 +0100 From: Florian Weimer <fweimer@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2018-19591: glibc if_nametoindex may not close descriptor Guido Vranken reported that the glibc implementation of if_nametoindex would not close an internal descriptor when processing a long interface name. This error condition can be triggered via the getaddrinfo function (and at least one HTTP client library). <https://sourceware.org/bugzilla/show_bug.cgi?id=23927> Fixed with this upstream commit: commit d527c860f5a3f0ed687bd03f0cb464612dc23408 Author: Florian Weimer <fweimer@...hat.com> Date: Tue Nov 27 16:12:43 2018 +0100 CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927] The vulnerability was introduced in commit 2180fee114b778515b3f560e5ff1e795282e60b0 ("Check length of ifname before copying it into to ifreq structure."), fixing bug 22442 for glibc 2.27. Since this addressed a compiler warning with GCC 8, this commit was backported to quite a few release branches. Thanks, Florian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.