Red Hat Customer Portal

Skip to main content

CVE-2008-1391

Public Date:
2008-03-25
Bugzilla:
524671: CVE-2008-1391 glibc: strfmon format string problem

The MITRE CVE dictionary describes this issue as:

Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec.

Find out more about CVE-2008-1391 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat does not consider this to be a security issue. Properly written
application should not use arbitrary untrusted data as part of the format
string passed to functions as strfmon or printf family functions.