Debian Bug report logs -
#656108
CVE-2009-5029: Integer overflow in tzfile processing
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Mon, 16 Jan 2012 16:04:37 UTC
Severity: normal
Tags: security
Merged with 650790
Fixed in version eglibc/2.11.3-3
Done: Aurelien Jarno <aurel32@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#656108; Package eglibc.
(Mon, 16 Jan 2012 16:04:45 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Mon, 16 Jan 2012 16:04:58 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: eglibc
Severity: important
Tags: security
This was only recently assigned a CVE ID, but since the initial
discussion was from 2009, this is a CVE-2009-* ID.
There's an integer overflow in tzfile processing, please see
the Red Hat bugzilla for more descriptions and links to
the glibc upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-5029
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=97ac2654b2d831acaa18a2b018b0736245903fd2
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=8fa26d571d4b87a1c7a7f19f1365f7e5d2995933
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#656108; Package eglibc.
(Mon, 16 Jan 2012 18:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>.
(Mon, 16 Jan 2012 18:06:03 GMT) (full text, mbox, link).
Message #10 received at 656108@bugs.debian.org (full text, mbox, reply):
forcemerge 650790 656108
thanks
On Mon, Jan 16, 2012 at 05:02:45PM +0100, Moritz Muehlenhoff wrote:
> Package: eglibc
> Severity: important
> Tags: security
>
> This was only recently assigned a CVE ID, but since the initial
> discussion was from 2009, this is a CVE-2009-* ID.
>
> There's an integer overflow in tzfile processing, please see
> the Red Hat bugzilla for more descriptions and links to
> the glibc upstream patches:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-5029
>
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=97ac2654b2d831acaa18a2b018b0736245903fd2
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=8fa26d571d4b87a1c7a7f19f1365f7e5d2995933
>
This bug has already been fixed in eglibc 2.13-24 for testing and
unstable, and is already committed to the stable SVN branch (so for the
6.0.5) release. I have added the CVE number to the changelog for future
reference.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
Forcibly Merged 650790 656108.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(Mon, 16 Jan 2012 18:15:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 05 Apr 2012 07:33:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:21:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon