CVE-2018-11236

NameCVE-2018-11236
Descriptionstdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs899071

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)buster2.28-10+deb10u1fixed
buster (security)2.28-10+deb10u3fixed
bullseye2.31-13+deb11u8fixed
bullseye (security)2.31-13+deb11u10fixed
bookworm2.36-9+deb12u4fixed
bookworm (security)2.36-9+deb12u7fixed
trixie2.38-12fixed
sid2.38-13fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
eglibcsource(unstable)(unfixed)
glibcsourcestretch2.24-11+deb9u4
glibcsource(unstable)2.27-4low899071

Notes

https://sourceware.org/bugzilla/show_bug.cgi?id=22786
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5460617d1567657621107d895ee2dd83bc1f88f2

Search for package or bug name: Reporting problems