CVE-2011-1659

Description

Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071.

CVSS Metrics

• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 2.48%• Percentile: 86%

Techniques & Countermeasures

• CWE-189•Numeric Errors

  Weaknesses in this category are related to improper calculation or conversion of numbers.

Affected Systems

• gnu•glibc

  ≤ 2.13 | 1.00 | 1.01 | 1.02 | 1.03 | 1.04 | 1.05 | 1.06 | 1.07 | 1.08 | 1.09 | 1.09.1 | 2.0 | 2.0.1 | 2.0.2 | 2.0.3 | 2.0.4 | 2.0.5 | 2.0.6 | 2.1 | 2.11 | 2.1.1.6 | 2.12 | 2.13 | 2.1.3.10 | 2.19 | 2.2 | 2.21 | 2.22 | 2.23 | 2.2.4 | 2.25 | 2.3 | 2.3.1 | 2.3.2 | 2.33 | 2.3.4 | 2.3.5 | 2.3.6 | 2.3.10 | 2.4 | 2.5 | 2.5.1 | 2.6 | 2.6.1 | 2.7 | 2.8 | 2.9 | 2.10 | 2.10.1 | 2.10.2 | 2.11.1 | 2.11.2 | 2.11.3 | 2.12.0 | 2.12.1 | 2.12.2

References (13)

• https://bugzilla.redhat.com/show_bug.cgi?id=681054
• http://www.securityfocus.com/archive/1/520102/100/0/threaded
• http://secunia.com/advisories/46397
• http://secunia.com/advisories/44353
• http://www.securitytracker.com/id?1025450
• https://exchange.xforce.ibmcloud.com/vulnerabilities/66819
• http://www.mandriva.com/security/advisories?name=MDVSA-2011:178
• http://scarybeastsecurity.blogspot.com/2011/02/i-got-accidental-code-execution-via.html
• http://www.vmware.com/security/advisories/VMSA-2011-0012.html
• http://code.google.com/p/chromium/issues/detail?id=48733
• http://www.mandriva.com/security/advisories?name=MDVSA-2011:179
• http://sourceware.org/bugzilla/show_bug.cgi?id=12583
• http://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=8126d90480fa3e0c5c5cd0d02cb1c93174b45485