Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 12:17:25 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Requests - glibc overflows (strxfrm)

Hello.

1. Joseph Myers discovered strxfrm is vulnerable to integer overflows
when computing memory allocation sizes (similar to CVE-2012-4412). i.e.
in string/strxfrm_l.c:

  idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1));

Attached strxfrm-int32.c should trigger on 32-bit machines.

2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if
malloc fails making it vulnerable to stack-based buffer overflows
(similar to CVE-2012-4424) [1]. Attached strxfrm-alloca.c should
trigger.


Both issues were fixed in glibc 2.21 [2] and a quick check shows
vulnerable code appears to go back to at least glibc 2.3.

Please allocate CVEs for these issues. Many thanks.

--mancha

==============

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=16009
[2] https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed

View attachment "strxfrm-alloca.c" of type "text/plain" (407 bytes)

View attachment "strxfrm-int32.c" of type "text/plain" (336 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ