oss-sec mailing list archives
CVE Requests - glibc overflows (strxfrm)
From: mancha <mancha1 () zoho com>
Date: Fri, 13 Feb 2015 12:17:25 +0000
Hello. 1. Joseph Myers discovered strxfrm is vulnerable to integer overflows when computing memory allocation sizes (similar to CVE-2012-4412). i.e. in string/strxfrm_l.c: idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1)); Attached strxfrm-int32.c should trigger on 32-bit machines. 2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424) [1]. Attached strxfrm-alloca.c should trigger. Both issues were fixed in glibc 2.21 [2] and a quick check shows vulnerable code appears to go back to at least glibc 2.3. Please allocate CVEs for these issues. Many thanks. --mancha ============== [1] https://sourceware.org/bugzilla/show_bug.cgi?id=16009 [2] https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed
Attachment:
strxfrm-alloca.c
Description:
Attachment:
strxfrm-int32.c
Description:
Attachment:
_bin
Description:
Current thread:
- CVE Requests - glibc overflows (strxfrm) mancha (Feb 13)