This is the mail archive of the
mailing list for the glibc project.
[PATCH COMMITTED] Add references to CVE-2017-17426
- From: Florian Weimer <fweimer at redhat dot com>
- To: GNU C Library <libc-alpha at sourceware dot org>
- Date: Wed, 6 Dec 2017 07:41:59 +0100
- Subject: [PATCH COMMITTED] Add references to CVE-2017-17426
- Authentication-results: sourceware.org; auth=none
MITRE assigned a CVE ID.
Author: Florian Weimer <firstname.lastname@example.org>
Date: Wed Dec 6 07:39:25 2017 +0100
Add references to CVE-2017-17426
diff --git a/ChangeLog b/ChangeLog
index ab41d9d947..6b752ac3de 100644
@@ -1164,6 +1164,7 @@
2017-11-30 Arjun Shankar <email@example.com>
* malloc/malloc.c (__libc_malloc): Use checked_request2size
instead of request2size.
diff --git a/NEWS b/NEWS
index dc5fe32cf8..faa60abe30 100644
@@ -112,6 +112,11 @@ Security related changes:
without GLOB_NOESCAPE, could write past the end of a buffer while
unescaping user names. Reported by Tim RÃ¼hsen.
+ CVE-2017-17426: The malloc function, when called with an object size near
+ the value SIZE_MAX, would return a pointer to a buffer which is too small,
+ instead of NULL. This was a regression introduced with the new malloc
+ thread cache in glibc 2.26. Reported by Iain Buclaw.
The following bugs are resolved with this release:
[The release manager will add the list generated by