[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#279680: libc6: CAN-2004-0968 not fixed in woody

At Thu, 04 Nov 2004 17:10:25 +0100,
Helge Kreutzmann wrote:
> Package: libc6
> Version: 2.2.5-11.5
> Severity: grave
> Tags: woody, security
> Justification: user security hole
> I notice the Ubuntu Security USN-4-1 and did not find CAN-2004-0968 in
> the "Non-Vulnerable" list. I looked at catchsegv as an example and
> code like
> segv_output=`basename "$prog"`.segv.$$
> does not look secure to me. 
> http://lwn.net/Alerts/108824/
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-00968
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318

Thanks for your check.  I/We'll look at it and work with the security
team for woody.  Note that I guess we may need another glibc
2.3.2.ds1-19 for sarge to fix this issue (with the recent David's
backtrace issue).

Recently glibcbug is removed from the upstream cvs because it's not
worked well (and moreover it's harmful), so I plan to remove it, but
if you have objection, please let us know.

-- gotom

Reply to: