Date: Sun, 13 Jul 2014 19:15:32 -0700 From: Tavis Ormandy <taviso@...xchg8b.com> To: oss-security@...ts.openwall.com Subject: Re: glibc locale issues Tavis Ormandy <taviso@...xchg8b.com> wrote: > I just remembered another charset issues I had looked into but abandoned. > > First of all, I think the need_so logic in gconv_trans is broken, but even > if it worked there is an off by one error in __gconv_translit_find() (it > does + 3 instead of + 3 + 1 in the allocation. To be clear, I suspect this is exploitable. It would be nice if you could modify the buffer such that gconv will open a path with a string you've appended it (e.g. CHARSET=//. pkexec ./../../../../tmp/foo.so), if not maybe the one byte overflow is still exploitable. You have a reasonable amount of control, e.g. CHARSET=//AAAAA pkexec $(perl -e 'print "A" x 125' Tavis.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ