CVE-2002-1476

Name of the Vulnerable Software and Affected Versions NetBSD versions 1.4.x through 1.6

Description A buffer overflow issue exists in the setlocale function within libc on NetBSD. This occurs when the function is called with the LC ALL category and a user-controlled locale string that has more than 6 elements, exceeding the boundaries of the new categories category array. This can be exploited through programs such as xterm and zsh, allowing local attackers to execute arbitrary code.

Recommendations For NetBSD versions 1.4.x through 1.6, consider restricting the use of the setlocale function with the LC ALL category until a patch is available. As a temporary workaround, limit the number of elements in user-controlled locale strings to prevent buffer overflow.