CVE-2012-3406
The MITRE CVE dictionary describes this issue as:
The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405.
Find out more about CVE-2012-3406 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 5 (glibc) | RHSA-2012:1097 | 2012-07-18 |
| Red Hat Enterprise Linux 6 (glibc) | RHSA-2012:1098 | 2012-07-18 |
| RHEV Agents (VDSM) | RHSA-2012:1185 | 2012-08-21 |
| RHEV Hypervisor for RHEL-6 (rhev-hypervisor6) | RHSA-2012:1200 | 2012-08-23 |
CVE description copyright © 2017, The MITRE Corporation