Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Jan 2015 17:47:47 -0800
From: endrazine <endrazine@...il.com>
To: Qualys Security Advisory <qsa@...lys.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

Dear Qualys team, dear list,

> ???

I assume this is an invitation to elaborate ;)

>From GHOST.c :
...
  char name[10];
  memset(name, '0', len);
  name[len] = '\0';
...


len is worth 991 at that point in time. Quite clearly, this will not fit
into 10 bytes :)

I am merely mentioning it in case anyone else was trying to run this code
and was hitting this particular stack overflow.

It is till an epic bug, congratulations on finding it !

Best regards,

j-

On Tue, Jan 27, 2015 at 4:00 PM, Qualys Security Advisory <qsa@...lys.com>
wrote:

> On Tue, Jan 27, 2015 at 02:03:10PM -0800, endrazine wrote:
> > There is an obvious stack overflow in Qualys' GHOST.c poc : the name
> buffer
> > is 10 bytes long and 900+ bytes of data are copied to it. This is
>
> ???
>
> --
> QSA
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.