[OE-core] [PATCH 1/2] glibc: CVE-2015-1472: wscanf allocates too little memory

akuster808 akuster808 at gmail.com
Fri May 8 19:45:21 UTC 2015


Haris,

thanks. I will stage this on my dizzy next branch.

please include [Dizzy/fido] in the subject line if a patch meant for a 
specific release. it will help route patches.
regards,
Armin

On 05/08/2015 08:47 AM, Haris Okanovic wrote:
> On 05/07/2015 06:19 PM, Haris Okanovic wrote:
>> Backport Paul Pluzhnikov's glibc patch for CVE-2015-1472:
>>
>> Under certain conditions wscanf can allocate too little memory for the
>> to-be-scanned arguments and overflow the allocated buffer.  The
>> implementation now correctly computes the required buffer size when
>> using malloc.
>>
>> https://sourceware.org/bugzilla/show_bug.cgi?id=16618
>>
>> Signed-off-by: Haris Okanovic <haris.okanovic at ni.com>
>> Signed-off-by: Ken Sharp <ken.sharp at ni.com>
>> Reviewed-by: Rich Tollerton <rich.tollerton at ni.com>
>> ---
>
> Note that this patch is to apply to the Dizzy branch of
> openembedded-core (glibc 2.20). It might cleanly apply to other branches
> also using glibc 2.20, but I've only tested with Dizzy.
>
> CVE-2015-1472 is fixed in glibc 2.21 and later.
>
> Thanks,
> Haris



More information about the Openembedded-core mailing list