REDHAT-BUG-761245: Buffer Overflow
First published: Wed Dec 07 2011(Updated: )
There exists a integer overflow to buffer overflow vulnerability within __tzfile_read function of the GNU C Library. This vulnerability was published by dividead early in 2009 in the following blog post: <a href="http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/">http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/</a> In December 3, Kingcope, at Full Disclosure Mailing List, noted vsftpd as one possible attack vector for this issue: <a href="http://lists.grok.org.uk/pipermail/full-disclosure/2011-December/084452.html">http://lists.grok.org.uk/pipermail/full-disclosure/2011-December/084452.html</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU C Library | ||
| vsftpd |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/
- http://lists.grok.org.uk/pipermail/full-disclosure/2011-December/084452.html
- http://rcvalle.com/post/14169476482/exploiting-glibc-tzfile-read-integer-overflow-to
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=767696
- http://rcvalle.com/post/14261796328/more-on-exploiting-glibc-tzfile-read-integer-overflow
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=761245#c15
- http://sourceware.org/bugzilla/show_bug.cgi?id=13506
- http://sourceware.org/ml/libc-alpha/2011-12/msg00037.html
- http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=97ac2654b2d831acaa18a2b018b0736245903fd2
- http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=8fa26d571d4b87a1c7a7f19f1365f7e5d2995933
- https://rhn.redhat.com/errata/RHSA-2012-0058.html
- https://rhn.redhat.com/errata/RHSA-2012-0126.html
- https://rhn.redhat.com/errata/RHSA-2012-0125.html
- https://bugzilla.redhat.com/show_bug.cgi?id=761245
Frequently Asked Questions
What is the severity of REDHAT-BUG-761245?
The severity of REDHAT-BUG-761245 is considered high due to the potential for remote code execution resulting from the integer overflow to buffer overflow vulnerability.
How do I fix REDHAT-BUG-761245?
To fix REDHAT-BUG-761245, it is recommended to update the GNU C Library to the latest version that contains the necessary security patches.
What systems are affected by REDHAT-BUG-761245?
REDHAT-BUG-761245 affects systems running the GNU C Library and certain versions of vsftpd.
What is the nature of the vulnerability in REDHAT-BUG-761245?
REDHAT-BUG-761245 is an integer overflow vulnerability that can lead to a buffer overflow within the __tzfile_read function.
When was REDHAT-BUG-761245 published?
REDHAT-BUG-761245 was publicly disclosed by the researcher dividead in early 2009.
- agent/references
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-5029
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gnu
- canonical/gnu c library
- vendor/vsftpd
- canonical/vsftpd