Date: Wed, 18 Apr 2012 11:06:42 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Rich Felker <dalias@...ifal.cx>, musl@...ts.openwall.com Subject: Re: Stack-based buffer overflow in musl libc 0.8.7 and earlier -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/18/2012 12:32 AM, Rich Felker wrote: > Name: Stack-based buffer overflow in musl libc 0.8.7 and earlier > Software: musl 0.8.7 and earlier Software link: > http://www.etalabs.net/musl Vulnerability Type: Buffer overflow > Severity: Critical > > Software Description: > > musl is an implementation of the C/POSIX standard library for > Linux-based systems. musl aims to be lightweight, fast, simple, > free, and correct in the sense of standards-conformance and safety, > and to meet requirements ranging from embedded systems and initrd > images to desktop workstations, mobile devices, and high-load > servers. Several build-from-source mini-distributions use musl as > their C library. > > Vulnerability Details: > > musl's implementation of [v]fprintf swaps in a temporary FILE > buffer on the stack when writing to unbuffered streams such as > stderr. Under certain conditions where the buffer end pointer has > already been set to the address of the internal degenerate buffer > prior to the call to [v]fprintf, stdio internals can fail to bound > access to the temporary buffer. Large writes will then overflow the > temporary buffer and clobber stack contents, including potentially > the return address. Any program linked to musl which includes > potentially-large data from untrusted sources in its output to > stderr or other unbuffered streams is affected. > > Solution: > > The vulnerability has been fixed in git, and the fix is to be > included in the upcoming 0.8.8 release. A patch which applies > cleanly to all recent releases is available on the musl mailing > list: > > http://www.openwall.com/lists/musl/2012/04/17/1 > > Credits: > > This vulnerability was discovered and fixed by the author (myself, > Rich Felker) while debugging a crash occurring in test code > written for musl by Luka Marčetić as part of GSoC 2011. Please use CVE-2012-2114 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjvSiAAoJEBYNRVNeJnmTzoEP/2S9w9zMzK7ILiSklpqgOqg3 SRA3UfRYYeGrpRzCfVE/Sa/u4Jg/Cjh4a5qIFOu/wgcOrOWuAjiW4eybR9zlSlyt TBrLiKN+e197ADrRX8JWJjY3LrgASlmlYZWiUkqCrNcO9QeDg2fWvFFY7HOXnbD+ tpdgTIMakAeON7HIQRvykUzxNYQhsiCZvosE4Bu6y1de7xavsqEW+FwV7OL/BjTN cSZKkp6A9M+hRRuaq07lSmOnYs5QTlb3PG8ObAo7dFWJzQLniAmKE4JIrtp7L93r eii0e6SB3uINb4RL3Q/aDEmjNzx1mRtNexUWqjPtftTZ/0mzOADMeOHcJvfio9B6 fF3eKhBmPT0BhZUx/kI3Hc6hjo0MHZQw10p2iwpThkHzpFaMxVsts0CwnoI/r+Na jwnetYl04GvJnrwVzN+Ag4x+CeOhF/jw3zECHsJ4kJ1abacJFKXBJPgxFcAvqxiY U8oDX5hneNlM5hSXNEd0fVzINVgt1mamCwu/6nEsxBp6ydIua9PBZ+ZxdnRo2U/w ZdIQKMIc27dPjlCz0D8DgSsUx1dZvVRBTsLOGlSEFuATnvoUGK4vbzdlhtnoXEQ4 QAKXQumNpj4J9wYlHirWArrs2g9sF5Aub7d2fGwMnG00b95Wpt+8/qmsrJxzti/5 L8f0eePww7O8bW2Sz7Xx =Zkg2 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ