gentoo-overlay/metadata/glsa/glsa-200311-06.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="200311-06">
  <title>glibc: getgrouplist buffer overflow vulnerability</title>
  <synopsis>
    glibc contains a buffer overflow in the getgrouplist function.
  </synopsis>
  <product type="ebuild">glibc</product>
  <announced>2003-11-22</announced>
  <revised count="01">2003-11-22</revised>
  <bug>33383</bug>
  <access>local</access>
  <affected>
    <package name="sys-libs/glibc" auto="yes" arch="*">
      <unaffected range="ge">2.2.5</unaffected>
      <vulnerable range="le">2.2.4</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    glibc is the GNU C library.
    </p>
  </background>
  <description>
    <p>
    A bug in the getgrouplist function can cause a buffer overflow if the size
    of the group list is too small to hold all the user's groups.  This overflow
    can cause segmentation faults in user applications.  This vulnerability
    exists only when an administrator has placed a user in a number of groups
    larger than that expected by an application.
    </p>
  </description>
  <impact type="normal">
    <p>
    Applications that use getgrouplist can crash.
    </p>
  </impact>
  <workaround>
    <p>
    There is no known workaround at this time.
    </p>
  </workaround>
  <resolution>
    <p>
    It is recommended that all Gentoo Linux users update their systems as
    follows:
    </p>
    <code>
    # emerge sync
    # emerge -pv '&gt;=sys-libs/glibc-2.2.5'
    # emerge '&gt;=sys-libs/glibc-2.2.5'
    # emerge clean</code>
  </resolution>
  <references>
    <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0689">CAN-2003-0689</uri>
  </references>
</glsa>