Format string

2014-02-1018:15:00

PRIOn knowledge base

www.prio-n.com

6.5 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.011 Low

EPSS

Percentile

83.8%

JSON

The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.14 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (segmentation fault and crash) via a format string with a large number of format specifiers that triggers “desynchronization within the buffer size handling,” a different vulnerability than CVE-2012-3404.

CPENameOperatorVersion
ubuntu_linuxeq8.4 lts
ubuntu_linuxeq11.04
ubuntu_linuxeq11.10
ubuntu_linuxeq12.4 lts
ubuntu_linuxeq10.4 lts
glibceq2.14
enterprise_linuxeq6.0
enterprise_virtualizationeq3.0

Name	Operator	Version
ubuntu_linux	eq	8.4 lts
ubuntu_linux	eq	11.04
ubuntu_linux	eq	11.10
ubuntu_linux	eq	12.4 lts
ubuntu_linux	eq	10.4 lts
glibc	eq	2.14
enterprise_linux	eq	6.0
enterprise_virtualization	eq	3.0