[prev in list] [next in list] [prev in thread] [next in thread] 

List:       glibc-locales
Subject:    [Bug localedata/17187] New: Out-of-bounds NUL write in iconv_open
From:       sourceware-bugzilla () sourceware ! org (fweimer at redhat dot com)
Date:       2014-07-21 12:20:00
Message-ID: bug-17187-716 () http ! sourceware ! org/bugzilla/
[Download RAW message or body]

https://sourceware.org/bugzilla/show_bug.cgi?id=17187

            Bug ID: 17187
           Summary: Out-of-bounds NUL write in iconv_open
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: localedata
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
                CC: libc-locales at sourceware dot org
             Flags: security?

Tavis Ormandy reported that iconv_open mishandles // transliteration
specifiers:

http://www.openwall.com/lists/oss-security/2014/07/14/1

The cause is in __gconv_translit_find:

          cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
                  trans->name, name_len);
          if (need_so)
        memcpy (cp, ".so", sizeof (".so"));

cp points *after* the NUL terminator, so the memcpy call does not actually
append ".so", but copies four bytes starting after the terminating NUL
character, not changing the string at all?and writing a single NUL byte after
the end of the buffer.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[prev in list] [next in list] [prev in thread] [next in thread]