Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5555403F.3060502@draigBrady.com>
Date: Fri, 15 May 2015 01:39:27 +0100
From: Pádraig Brady <P@...igBrady.com>
To: oss-security@...ts.openwall.com
Subject: coreutils sort heap overflow

FYI on distros with the coreutils i18n patch applied
(Suse/RHEL/Fedora/...) a heap overflow can be triggered in sort(1) as per:
https://bugzilla.suse.com/show_bug.cgi?id=928749

The following should be the simplest way to trigger this on affected distros:
(note the error is not generated 100% of the time):

  printf '%s\n' a ɑ | MALLOC_CHECK_=1 LC_ALL=en_US.utf8 sort -f

Note in UTF8 only a few chars are converted to longer sequences,
so the values that can be written are restricted.

There is also a theoretical buffer overflow with data around SIZE_MAX/2.

Both issues are fixed at:
  https://github.com/pixelb/coreutils/commit/bea5e36c
The fix is public as the bug is already public.

thanks,
Pádraig.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.