Date: Fri, 13 Feb 2015 12:17:25 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE Requests - glibc overflows (strxfrm) Hello. 1. Joseph Myers discovered strxfrm is vulnerable to integer overflows when computing memory allocation sizes (similar to CVE-2012-4412). i.e. in string/strxfrm_l.c: idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1)); Attached strxfrm-int32.c should trigger on 32-bit machines. 2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424) . Attached strxfrm-alloca.c should trigger. Both issues were fixed in glibc 2.21  and a quick check shows vulnerable code appears to go back to at least glibc 2.3. Please allocate CVEs for these issues. Many thanks. --mancha ==============  https://sourceware.org/bugzilla/show_bug.cgi?id=16009  https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed View attachment "strxfrm-alloca.c" of type "text/plain" (407 bytes) View attachment "strxfrm-int32.c" of type "text/plain" (336 bytes) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ