[arch-security] [ASA-201602-22] glibc: unbound stack usage

Christian Rebischke Chris.Rebischke at archlinux.org
Sun Feb 28 01:18:53 UTC 2016


Arch Linux Security Advisory ASA-201602-22
==========================================

Severity: Medium
Date    : 2016-02-28
CVE-ID  : CVE-2014-9761
Package : glibc
Type    : unbound stack usage
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package glibc before version 2.23-1 is vulnerable to unbound stack
usage. 

Resolution
==========

Upgrade to 2.23-1.

# pacman -Syu "glibc>=2.23-1"

The problem has been fixed upstream in version 2.23.

Workaround
==========

None.

Description
===========

- CVE-2014-9761 (unbound stack usage)
The nan, nanf and nanl functions no longer have unbounded stack usage
depending on the length of the string passed as an argument to the
functions.

Impact
======

An attacker has an easy job with stack based exploits.

References
==========

https://access.redhat.com/security/cve/CVE-2014-9761
http://seclists.org/oss-sec/2016/q1/153
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160228/e3526c70/attachment.asc>


More information about the arch-security mailing list