Full Disclosure mailing list archives
Re: GNU libc/regcomp(3) Multiple Vulnerabilities
From: halfdog <me () halfdog net>
Date: Tue, 11 Jan 2011 15:33:43 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 aksymilian Arciemowicz wrote:
[ GNU libc/regcomp(3) Multiple Vulnerabilities ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - Dis.: 01.10.2010 - Pub.: 07.01.2011 CERT: VU#912279 CVE: CVE-2010-4051 CVE-2010-4052
Nice find, but not the first one, look at: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/343894 I just reported the issue to ubuntu so see how their bug tracking team was performing on an issue where a standard byte-array-fuzzer just needed 2secs to find it. I wanted to know, if they could detect a misclassified issue (was not reported as security bug) and bring it to a fix. I would have bet, that they would be faster than you, but it seems that you made the race. What I learned from the excercise (see bug report date March 2009), is that the ubuntu launchpad platform is an invaluable source of exploits when used together with google mining. As to the regexes: If you want to start collecting CVEs, many other programs are also vulnerable to regex resource exhaustion, e.g. using postgres extended regulars. As for the segfaults: The problem with memory-allocation errors is quite common in many programs and not only restricted to regular expressions. Even many suid-binaries have quite funny behavior when limiting resources, e.g. to trigger null-pointer deref in sudoedit on lucid, (gdb) bt #0 __tsearch (key=0xbfb3e4e0, vrootp=0x1c, compar=0xb14490 <known_compare>) at tsearch.c:251 #1 0x00b1407e in *__GI___nss_lookup_function (ni=0x0, fct_name=0xb691bb "setpwent") at nsswitch.c:342 See http://www.halfdog.net/Security/LowMemoryProgramCrashing/ - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFNLHisxFmThv7tq+4RAjcXAKCDfYYFfZnSsMbiOg9r3rx62K5tqQCfUHc2 rKfqZKcJnG6KifMjFfXgUMM= =5JXJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- GNU libc/regcomp(3) Multiple Vulnerabilities Maksymilian Arciemowicz (Jan 07)
- Re: GNU libc/regcomp(3) Multiple Vulnerabilities cpolish (Jan 08)
- Re: GNU libc/regcomp(3) Multiple Vulnerabilities halfdog (Jan 11)
- Re: GNU libc/regcomp(3) Multiple Vulnerabilities Maksymilian Arciemowicz (Jan 11)