Author: derevko-guest
Date: 2010-04-03 13:20:56 +0000 (Sat, 03 Apr 2010)
New Revision: 14389
Modified:
data/CVE/list
Log:
CVE-2008-1391: glibc is affected
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-04-03 12:53:25 UTC (rev 14388)
+++ data/CVE/list 2010-04-03 13:20:56 UTC (rev 14389)
@@ -29571,6 +29571,13 @@
CVE-2008-1391 (Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x
and 7.x, ...)
- kfreebsd-6 <not-affected> (see bug #483152)
- kfreebsd-7 <not-affected> (see bug #483152)
+ - glibc <removed> (low)
+ - eglibc 2.11-0exp6 (low)
+ [lenny] - glibc <no-dsa> (minor issue)
+ NOTE: not sure if it is a security bug, an attacker should not be able to
change the format string
+ NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d
+ NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=10600
+ NOTE: PoC php -r
''money_format("%.1073741821i",1);'' I can reproduce
on 32bit, not 64bit
CVE-2008-1390 (The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before
...)
- asterisk 1:1.4.19.1~dfsg-1 (low)
[etch] - asterisk <not-affected> (Only 1.4.x affected)