1
Candidate: CVE-2013-4788
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4788
5
http://hmarco.org/bugs/CVE-2013-4788.html
7
The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6)
8
2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the
9
random value for the pointer guard, which makes it easier for
10
context-dependent attackers to control execution flow by leveraging a
11
buffer-overflow vulnerability in an application and using the known zero
12
value pointer guard to calculate a pointer address.
15
jdstrand> PoC in linux-distros@ (tested on Ubuntu 12.04, 13.04 and Debian 7.1)
16
jdstrand> Only statically compiled executables, dynamic not affected
17
jdstrand> upstream patch not available as of 2013-07-12
18
sarnold> PTR MANGLE is a security-hardening feature; exploiting this flaw
19
requires a flaw in a statically linked executable that allows write
20
access to one of the types of pointers that is mangled. Fixing the
21
consequences of this flaw requires rebuilding all security-sensitive
22
statically linked executables.
23
mdeslaur> fix for this was reverted in saucy as it was causing the ARM
24
mdeslaur> testuite to fail.
25
sbeattie> fix was re-enabled in trusty with the addition of the
26
patches/any/cvs-CVE-2013-4788-static-ptrguard-arm.diff patch.
27
mdeslaur> we will not be fixing this issue for earlier releases.
29
http://sourceware.org/bugzilla/show_bug.cgi?id=15754
30
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717178
31
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4788
33
Discovered-by: Hector Marco, Ismael Ripoll
37
patch: http://hmarco.org/bugs/patches/ptr_mangle-eglibc-2.17.patch
38
upstream: https://sourceware.org/git/?p=glibc.git;a=commit;h=c61b4d41c9647a54a329aa021341c0eb032b793e
39
upstream: https://sourceware.org/git/?p=glibc.git;a=commit;h=0b1f8e35640f5b3f7af11764ade3ff060211c309
40
upstream: https://sourceware.org/git/?p=glibc.git;a=commit;h=5ebbff8fd1529aec13ac4d2906c1a36f3e738519
41
upstream_eglibc: needed
43
precise_eglibc: ignored
44
quantal_eglibc: ignored (reached end-of-life)
45
raring_eglibc: ignored (reached end-of-life)
47
trusty_eglibc: not-affected (2.18-0ubuntu1)
48
devel_eglibc: not-affected (2.18-0ubuntu1)