CVE-2016-2090 Canonical CVE debrief

Who should care

Security teams and maintainers responsible for systems that ship libbsd, especially environments matching the affected CPEs in the record: libbsd before 0.8.2 and distro packages for Fedora 24/25, Debian 8.0, and Ubuntu 12.04 ESM, 14.04 ESM, 16.04 LTS, 18.04 LTS, and 19.04.

Technical summary

The vulnerability is an off-by-one bug in fgetwln that can trigger a heap-based buffer overflow. NVD classifies it as CWE-119 and assigns CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact if reachable in an affected build. The affected libbsd version range in the record is any version before 0.8.2.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade libbsd to 0.8.2 or later where available.
• Apply vendor or distribution security updates for affected Fedora, Debian, and Ubuntu packages.
• Inventory systems and containers that include libbsd, including transitive dependencies.
• Prioritize internet-facing or broadly exposed services that bundle the affected library.
• Rebuild and redeploy images after patching to ensure the vulnerable package is removed.
• Verify package versions against distro advisories before and after remediation.

Evidence notes

The supplied NVD record identifies the issue as an off-by-one vulnerability in libbsd’s fgetwln function that can cause a heap-based buffer overflow, and lists libbsd versions before 0.8.2 as affected. The record also includes CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-119. Reference links point to the original oss-security disclosure, a fuzzing-project writeup, a freedesktop bug report, a patch commit, and downstream distro advisories. The CVE record was published on 2017-01-13.

Official resources