Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAE5zrZ=h4CzHB4QLWPK87+QjZU_8iFh8aCFOpZZWFFQCFs_80A@mail.gmail.com>
Date: Thu, 1 Jan 2026 07:29:34 -0500
From: Dale Weiler <weilercdale@...il.com>
To: musl@...ts.openwall.com
Subject: Potential issue with catopen/catclose/catgets

The implementation of catopen (specifically do_catopen) mmap's the
netbsd/openbsd message catalog file (via __map_file) and checks the header
to validate the size matches what __map_file returned since that size is
later passed to unmap the file in catclose.

The problem here is because this is a mapped file, external modifications
of the message catalog file become visible during catclose at which point
the size passed to munmap may no longer match the size originally reported
by the file when opened with catopen.

Further, I'm not sure if this is exploitable, but the fact the underlying
contents can be manipulated while the catalog is opened seems potentially
dangerous in general. I can imagine all sorts of potential memory safety
issues can crop up in catgets if the contents are modified.

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.