Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20150213121725.GA1280@zoho.com>
Date: Fri, 13 Feb 2015 12:17:25 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Requests - glibc overflows (strxfrm)

Hello.

1. Joseph Myers discovered strxfrm is vulnerable to integer overflows
when computing memory allocation sizes (similar to CVE-2012-4412). i.e.
in string/strxfrm_l.c:

  idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1));

Attached strxfrm-int32.c should trigger on 32-bit machines.

2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if
malloc fails making it vulnerable to stack-based buffer overflows
(similar to CVE-2012-4424) [1]. Attached strxfrm-alloca.c should
trigger.


Both issues were fixed in glibc 2.21 [2] and a quick check shows
vulnerable code appears to go back to at least glibc 2.3.

Please allocate CVEs for these issues. Many thanks.

--mancha

==============

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=16009
[2] https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed

View attachment "strxfrm-alloca.c" of type "text/plain" (407 bytes)

View attachment "strxfrm-int32.c" of type "text/plain" (336 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.