[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2018-19591: glibc if_nametoindex may not close descriptor
From: Florian Weimer <fweimer () redhat ! com>
Date: 2018-11-27 21:04:31
Message-ID: 87tvk29qqo.fsf () oldenburg ! str ! redhat ! com
[Download RAW message or body]
Guido Vranken reported that the glibc implementation of if_nametoindex
would not close an internal descriptor when processing a long interface
name. This error condition can be triggered via the getaddrinfo
function (and at least one HTTP client library).
<https://sourceware.org/bugzilla/show_bug.cgi?id=23927>
Fixed with this upstream commit:
commit d527c860f5a3f0ed687bd03f0cb464612dc23408
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Nov 27 16:12:43 2018 +0100
CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927]
The vulnerability was introduced in commit
2180fee114b778515b3f560e5ff1e795282e60b0 ("Check length of ifname before
copying it into to ifreq structure."), fixing bug 22442 for glibc 2.27.
Since this addressed a compiler warning with GCC 8, this commit was
backported to quite a few release branches.
Thanks,
Florian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic