Date: Wed, 27 Jan 2021 15:16:40 -0000 (UTC) From: Tavis Ormandy <taviso@...il.com> To: oss-security@...ts.openwall.com Subject: glibc iconv crash with ISO-2022-JP-3 Hello list, I suddenly got interested in mutt attack surface after CVE-2021-3181, and some testing found a crash via charset conversion glibc. It's just an abort(), I don't think there's any further impact. I believe this would crash anything that does character conversion with iconv. Mail clients do automatic charset conversion when they see a Subject like: Subject: =?ISO-2022-JP-3?B?..... or a MIME header like this: Content-Type: text/plain; charset=ISO-2022-JP-3 The impact is just that you can't open your mail client, because it crashes as soon as it sees the subject. Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 Patch: https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html Thanks, Tavis. -- _o) $ lynx lock.cmpxchg8b.com /\\ _o) _o) $ finger taviso@....org _\_V _( ) _( ) @taviso
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.