Bug#279680: libc6: CAN-2004-0968 not fixed in woody
At Thu, 04 Nov 2004 17:10:25 +0100,
Helge Kreutzmann wrote:
> Package: libc6
> Version: 2.2.5-11.5
> Severity: grave
> Tags: woody, security
> Justification: user security hole
>
> I notice the Ubuntu Security USN-4-1 and did not find CAN-2004-0968 in
> the "Non-Vulnerable" list. I looked at catchsegv as an example and
> code like
>
> segv_output=`basename "$prog"`.segv.$$
>
> does not look secure to me.
>
> http://lwn.net/Alerts/108824/
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-00968
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318
Thanks for your check. I/We'll look at it and work with the security
team for woody. Note that I guess we may need another glibc
2.3.2.ds1-19 for sarge to fix this issue (with the recent David's
backtrace issue).
Recently glibcbug is removed from the upstream cvs because it's not
worked well (and moreover it's harmful), so I plan to remove it, but
if you have objection, please let us know.
Regards,
-- gotom
Reply to: