Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 6.0 (including) | 6.0 (including) |
| Freebsd | Freebsd | 6.0-release (including) | 6.0-release (including) |
| Freebsd | Freebsd | 6.0-stable (including) | 6.0-stable (including) |
| Freebsd | Freebsd | 6.0_p5_release (including) | 6.0_p5_release (including) |
| Freebsd | Freebsd | 7.0 (including) | 7.0 (including) |
| Freebsd | Freebsd | 7.0-pre-release (including) | 7.0-pre-release (including) |
| Freebsd | Freebsd | 7.0_beta4 (including) | 7.0_beta4 (including) |
| Freebsd | Freebsd | 7.0_releng (including) | 7.0_releng (including) |
| Netbsd | Netbsd | 4.0 (including) | 4.0 (including) |
| Eglibc | Ubuntu | karmic | * |
| Eglibc | Ubuntu | upstream | * |
| Glibc | Ubuntu | dapper | * |
| Glibc | Ubuntu | hardy | * |
| Glibc | Ubuntu | intrepid | * |
| Glibc | Ubuntu | jaunty | * |
| Glibc | Ubuntu | upstream | * |