[Bug libc/18016] New: Signed size comparison in memcpy-ssse3.S (CVE-2011-2702)

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug libc/18016] New: Signed size comparison in memcpy-ssse3.S (CVE-2011-2702)
@ 2015-02-24 15:51 fweimer at redhat dot com
  2015-02-24 15:54 ` [Bug libc/18016] " fweimer at redhat dot com
  0 siblings, 1 reply; 2+ messages in thread
From: fweimer at redhat dot com @ 2015-02-24 15:51 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18016

            Bug ID: 18016
           Summary: Signed size comparison in memcpy-ssse3.S
                    (CVE-2011-2702)
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

CVE mapping is based on an archived copy of
http://www.nodefense.org/eglibc.txt.

The signed comparison in __memcpy_ssse3 means that an out-of-bounds reference
is used for the jump table, which allows code execution and ASLR bypass (due to
the relative addressing).

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 2+ messages in thread

* [Bug libc/18016] Signed size comparison in memcpy-ssse3.S (CVE-2011-2702)
  2015-02-24 15:51 [Bug libc/18016] New: Signed size comparison in memcpy-ssse3.S (CVE-2011-2702) fweimer at redhat dot com
@ 2015-02-24 15:54 ` fweimer at redhat dot com
  0 siblings, 0 replies; 2+ messages in thread
From: fweimer at redhat dot com @ 2015-02-24 15:54 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=18016

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in commit a0ac24d98ace90d1ccba6a2f3e7d55600f2fdb6e, which went into glibc
2.12.

The bug was introduced in commit 3af48cbdfaeb8bc389de1caeb33bc29811da80e8,
which happened after the 2.11 release, but it seems that this ended up in some
eglibc releases and downstreams.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-02-24 15:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-24 15:51 [Bug libc/18016] New: Signed size comparison in memcpy-ssse3.S (CVE-2011-2702) fweimer at redhat dot com
2015-02-24 15:54 ` [Bug libc/18016] " fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).