public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18012] New: Alleged denial of service in glob (CVE-2010-4756)
@ 2015-02-24 11:51 fweimer at redhat dot com
2015-02-24 11:53 ` [Bug libc/18012] " fweimer at redhat dot com
0 siblings, 1 reply; 2+ messages in thread
From: fweimer at redhat dot com @ 2015-02-24 11:51 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18012
Bug ID: 18012
Summary: Alleged denial of service in glob (CVE-2010-4756)
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4756 to
the following vulnerability:
Name: CVE-2010-4756
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4756
Assigned: 20110302
Reference: http://securityreason.com/achievement_securityalert/89
Reference: http://cxib.net/stuff/glob-0day.c
Reference: http://securityreason.com/exploitalert/9223
The glob implementation in the GNU C Library (aka glibc or libc6) allows remote
authenticated users to cause a denial of service (CPU and memory consumption)
via crafted glob expressions that do not match any pathnames, as demonstrated
by glob expressions in STAT commands to an FTP daemon, a different
vulnerability than CVE-2010-2632.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug libc/18012] Alleged denial of service in glob (CVE-2010-4756)
2015-02-24 11:51 [Bug libc/18012] New: Alleged denial of service in glob (CVE-2010-4756) fweimer at redhat dot com
@ 2015-02-24 11:53 ` fweimer at redhat dot com
0 siblings, 0 replies; 2+ messages in thread
From: fweimer at redhat dot com @ 2015-02-24 11:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18012
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
Flags| |security-
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
The prevalent opinion is this is just how the glob interface works, and that
this is not a security bug. See for example:
https://bugzilla.redhat.com/show_bug.cgi?id=681681#c1
https://security-tracker.debian.org/tracker/CVE-2010-4756
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-02-24 11:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-24 11:51 [Bug libc/18012] New: Alleged denial of service in glob (CVE-2010-4756) fweimer at redhat dot com
2015-02-24 11:53 ` [Bug libc/18012] " fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).