Wind River Support Network

HomeDefectsLIN5-20297
Fixed

LIN5-20297 : Security Advisory - glibc - CVE-2015-1472

Created: Apr 16, 2015    Updated: Feb 25, 2019
Resolved Date: May 8, 2015
Found In Version: 5.0.1.25
Fix Version: 5.0.1.26
Severity: Standard
Applicable for: Wind River Linux 5
Component/s: Toolchain

Description

The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during memory allocation, which allows context-dependent attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long line containing wide characters that are improperly handled in a wscanf call.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1472

Workaround

1. configure the project with following option:
  --enable-build-libc

2.1 apply the patch before build:
  cd layers/wrl-toolchain # you may want to backup the content of recipes-core sub-folder, as the folder links to the DVD installation folder.
  patch -Np1 < WR5-glibc-Security-Advisory-glibc-CVE-2015-1472.patch

2.2 If you don't want to mess with the DVD installation, you can follow the following manual steps in a clean project configured as above:
  make -C build wrl-glibc-rebuild.patch
  make -C build wrl-glibc-rebuild.devshell
  patch -Np1 < /path-to/CVE-2015-1472-wscanf-allocates-too-little-memory-WR5.patch
  exit # from devshell
  make fs

Other Downloads


Live chat
Online