Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2018-1125 - log back

CVE-2018-1125 created at 25 Sep 2019 19:31:40

Severity

+

Medium

Remote

+

Local

Type

+	Arbitrary code execution

Description

+	A potential stack-based buffer overflow has been found in the pgrep utility of procps-ng <= 3.3.14. If the strlen() of one of the cmdline arguments is greater than INT_MAX (it is possible), then the "int bytes" could wrap around completely, back to a very large positive int, and the next strncat() would be called with a huge number of destination bytes (a stack-based buffer overflow).
+	Fortunately, every distribution that we checked compiles its procps utilities with FORTIFY, and the fortified strncat() detects and aborts the buffer overflow before it occurs.

References

+	https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Notes

+	Related patch in Qualys' tarball: 0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch