Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Aug 2014 14:08:16 +0100
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com, fweimer@...hat.com
CC: cve-assign@...re.org
Subject: Re: Re: [CVE Request] glibc iconv_open buffer overflow
 (was: Re: Re: glibc locale issues)

On 13/08/14 07:01, cve-assign@...re.org wrote:
>>> iconv/gconv_charset.h:strip() normalizes the transliteration argument to
>>> iconv_open, so the resulting file names follow a particular pattern, and
>>> there cannot be enough slashes to ascend to a writable directory.
>>>
>>>> if not maybe the one byte overflow is still exploitable.
>>>
>>> Hmm.  How likely is that?  It overflows in to malloc metadata, and the
>>> glibc malloc hardening should catch that these days.
> 
>> Not necessarily on 32-bit architectures, so I agree with Tavis now, and
>> we need a CVE.  The upstream bug is:
> 
>>    <https://sourceware.org/bugzilla/show_bug.cgi?id=17187>
> 
> Use CVE-2014-5119. A CVE-2005-#### number isn't needed because the
> msg00091.html message (referenced in 17187) does not state any
> security implications.

That's correct.  Neither I nor any of the readers of my original bug
report commented on any possible security implications.  (Mind you, in
2005 I was probably a little more naïve.)

jch

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ