PT-2021-3512 · Gnu+10 · Glibc+10

Philippe Antoine

·

Published

2020-12-17

·

Updated

2024-06-15

·

CVE-2021-35942

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Name of the Vulnerable Software and Affected Versions glibc versions prior to 2.33
Description The issue is related to the wordexp function in the GNU C Library, which may crash or read arbitrary memory when called with an untrusted, crafted pattern. This could result in a denial of service or disclosure of information due to the incorrect use of atoi instead of strtoul for calculations. The vulnerability is also described as being caused by an integer overflow, potentially allowing an attacker to read arbitrary files.
Recommendations For glibc versions prior to 2.33, update to version 2.33 or later to resolve the issue. As a temporary workaround, consider restricting the use of the wordexp function with untrusted input until a patch is available.

Fix

DoS

Incorrect Type Conversion or Cast

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-704CWE-190

Related Identifiers

ALSA-2021:4358
ALT-PU-2020-3524
ALT-PU-2021-2280
ALT-PU-2021-2862
ALT-PU-2021-2880
BDU:2021-03561
CESA-2021_4358
CVE-2021-35942
DLA-3152-1
MGASA-2021-0362
OESA-2021-1296
OPENSUSE-SU-2021:1374-1
OPENSUSE-SU-2021:3291-1
OPENSUSE-SU-2021_1374-1
OPENSUSE-SU-2021_3291-1
OPENSUSE-SU-2024:13388-1
RHSA-2021:4358
RHSA-2021_4358
RLSA-2021:4358
SUSE-SU-2021:14822-1
SUSE-SU-2021:2480-1
SUSE-SU-2021:3289-1
SUSE-SU-2021:3291-1
SUSE-SU-2021:3385-1
SUSE-SU-2021_14822-1
USN-5310-1
USN-5699-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Glibc