Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 07 Sep 2012 11:21:36 -0600
From: Kurt Seifried <>
CC: Jan Lieskovsky <>,
        "Steven M. Christey" <>,
        Florian Weimer <>, Jeff Law <>,
        Jakub Jelinek <>
Subject: Re: CVE Request -- glibc: strcoll() integer overflow
 leading to buffer overflow + another alloca() stack overflow issue (upstream
 #14547 && #14552)

Hash: SHA1

On 09/07/2012 09:25 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, Florian, Jeff, Jakub, vendors,
> 1) Issue #1: ------------ An integer overflow, leading to buffer
> overflow flaw was found in the way the implementation of strcoll()
> routine, used to compare two strings based on the current locale,
> of glibc, the GNU libc libraries, performed calculation of memory 
> requirements / allocation, needed for storage of the strings. If an
> application linked against glibc was missing an application-level
> sanity checks for validity of strcoll() arguments and accepted
> untrusted input, an attacker could use this flaw to cause the
> particular application to crash or, potentially, execute arbitrary
> code with the privileges of the user running the application.
> Upstream bug report (including reproducer): [1]
> References: [2]
> Could you allocate a CVE identifier for this?

Please use CVE-2012-4412 for this issue.

> 2) Issue #2 (mentioned here only for completeness, but I am not of
> the opinion this should receive a CVE identifier. See argumentation
> below [but open to glibc upstream / others to disprove it]).

I will hold off on issuing a CVE for this then. Anyone want to weigh in?

> alloca() stack overflow (first issue from the report below) 
> Upstream bug report: [3]
> If I have looked correctly this is expected / known behaviour of
> alloca() - from the manual page: [4]
> "Return Value The alloca() function returns a pointer to the 
> beginning of the allocated space. If the allocation causes stack
> overflow, program behavior is undefined."
> Under my opinion the above description covers also the case of
> 'alloca() stack overflow' as reported in bug [3]. Further opinions
> / upstream comments appreciated though.
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ