blob: 75c712298ec5027bf6c4b83e45dd4b89c56aa191 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="200311-06">
<title>glibc: getgrouplist buffer overflow vulnerability</title>
<synopsis>
glibc contains a buffer overflow in the getgrouplist function.
</synopsis>
<product type="ebuild">glibc</product>
<announced>2003-11-22</announced>
<revised>2003-11-22: 01</revised>
<bug>33383</bug>
<access>local</access>
<affected>
<package name="sys-libs/glibc" auto="yes" arch="*">
<unaffected range="ge">2.2.5</unaffected>
<vulnerable range="le">2.2.4</vulnerable>
</package>
</affected>
<background>
<p>
glibc is the GNU C library.
</p>
</background>
<description>
<p>
A bug in the getgrouplist function can cause a buffer overflow if the size
of the group list is too small to hold all the user's groups. This overflow
can cause segmentation faults in user applications. This vulnerability
exists only when an administrator has placed a user in a number of groups
larger than that expected by an application.
</p>
</description>
<impact type="normal">
<p>
Applications that use getgrouplist can crash.
</p>
</impact>
<workaround>
<p>
There is no known workaround at this time.
</p>
</workaround>
<resolution>
<p>
It is recommended that all Gentoo Linux users update their systems as
follows:
</p>
<code>
# emerge sync
# emerge -pv '&gt;=sys-libs/glibc-2.2.5'
# emerge '&gt;=sys-libs/glibc-2.2.5'
# emerge clean</code>
</resolution>
<references>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0689">CAN-2003-0689</uri>
</references>
</glsa>