Numeric Errors Affecting glibc package, versions <2.13-24
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
0.84% (82nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-GLIBC-532921
- published 2 May 2013
- disclosed 2 May 2013
Introduced: 2 May 2013
CVE-2009-5029 Open this link in a new tabHow to fix?
Upgrade Debian:11 glibc to version 2.13-24 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.
References
- https://security-tracker.debian.org/tracker/CVE-2009-5029
- http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/
- http://lists.grok.org.uk/pipermail/full-disclosure/2011-December/084452.html
- http://sourceware.org/git/?p=glibc.git;a=commit;h=97ac2654b2d831acaa18a2b018b0736245903fd2
- http://sourceware.org/ml/libc-alpha/2011-12/msg00037.html
- https://bugzilla.redhat.com/show_bug.cgi?id=761245
- http://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=97ac2654b2d831acaa18a2b018b0736245903fd2
- https://access.redhat.com/errata/RHSA-2012:0058
- https://access.redhat.com/errata/RHSA-2012:0125
- https://access.redhat.com/errata/RHSA-2012:0126
- https://access.redhat.com/security/cve/CVE-2009-5029