clone 681473 -1 retitle 681473 CVE-2012-3404 CVE-2012-3405 retitle -1 CVE-2012-3406 thanks
On Fri, Jul 13, 2012 at 03:41:23PM +0200, Moritz Muehlenhoff wrote: > Package: eglibc > Severity: important > Tags: security > > Hi, > please see http://www.openwall.com/lists/oss-security/2012/07/11/17 for > details > and references to upstream patches. > > The security impact is rather low IMO; if the format strings are under control > of a attacker, this opens a whole can of worms anyway. > > Still, it would be nice to get these fixed for Wheezy and for Squeeze in a > point > update. > I'll add the patches for CVE-2012-3404 and CVE-2012-3405 as they come from upstream and look correct. For CVE-2012-3406 RedHat, as usual, hasn't submitted the patch upstream and thus it hasn't been reviewed. I have looked at it quickly and I have to say I don't really like it. Replacing a call to alloca() by a call to malloc() without checking the return value is only a small improvement when the attacker can control the allocation size. Also it means the attacker can DoS the system or crash the program. To finish malloc() + memmove() + free() is not the best way to reallocate big chunks of memory when realloc() exists. I am therefore not planning to apply this patch in the current state, and thus I am cloning this bug to keep this CVE entry separated from the others. -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
