Date: Fri, 13 Feb 2015 12:17:25 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE Requests - glibc overflows (strxfrm) Hello. 1. Joseph Myers discovered strxfrm is vulnerable to integer overflows when computing memory allocation sizes (similar to CVE-2012-4412). i.e. in string/strxfrm_l.c: idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1)); Attached strxfrm-int32.c should trigger on 32-bit machines. 2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424) . Attached strxfrm-alloca.c should trigger. Both issues were fixed in glibc 2.21  and a quick check shows vulnerable code appears to go back to at least glibc 2.3. Please allocate CVEs for these issues. Many thanks. --mancha ==============  https://sourceware.org/bugzilla/show_bug.cgi?id=16009  https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed View attachment "strxfrm-alloca.c" of type "text/plain" (407 bytes) View attachment "strxfrm-int32.c" of type "text/plain" (336 bytes) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.