public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18016] New: Signed size comparison in memcpy-ssse3.S (CVE-2011-2702)
@ 2015-02-24 15:51 fweimer at redhat dot com
2015-02-24 15:54 ` [Bug libc/18016] " fweimer at redhat dot com
0 siblings, 1 reply; 2+ messages in thread
From: fweimer at redhat dot com @ 2015-02-24 15:51 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18016
Bug ID: 18016
Summary: Signed size comparison in memcpy-ssse3.S
(CVE-2011-2702)
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Flags: security+
CVE mapping is based on an archived copy of
http://www.nodefense.org/eglibc.txt.
The signed comparison in __memcpy_ssse3 means that an out-of-bounds reference
is used for the jump table, which allows code execution and ASLR bypass (due to
the relative addressing).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug libc/18016] Signed size comparison in memcpy-ssse3.S (CVE-2011-2702)
2015-02-24 15:51 [Bug libc/18016] New: Signed size comparison in memcpy-ssse3.S (CVE-2011-2702) fweimer at redhat dot com
@ 2015-02-24 15:54 ` fweimer at redhat dot com
0 siblings, 0 replies; 2+ messages in thread
From: fweimer at redhat dot com @ 2015-02-24 15:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18016
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in commit a0ac24d98ace90d1ccba6a2f3e7d55600f2fdb6e, which went into glibc
2.12.
The bug was introduced in commit 3af48cbdfaeb8bc389de1caeb33bc29811da80e8,
which happened after the 2.11 release, but it seems that this ended up in some
eglibc releases and downstreams.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-02-24 15:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-24 15:51 [Bug libc/18016] New: Signed size comparison in memcpy-ssse3.S (CVE-2011-2702) fweimer at redhat dot com
2015-02-24 15:54 ` [Bug libc/18016] " fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).