[prev in list] [next in list] [prev in thread] [next in thread]
List: glibc-locales
Subject: [Bug localedata/17187] New: Out-of-bounds NUL write in iconv_open
From: sourceware-bugzilla () sourceware ! org (fweimer at redhat dot com)
Date: 2014-07-21 12:20:00
Message-ID: bug-17187-716 () http ! sourceware ! org/bugzilla/
[Download RAW message or body]
https://sourceware.org/bugzilla/show_bug.cgi?id=17187
Bug ID: 17187
Summary: Out-of-bounds NUL write in iconv_open
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: localedata
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: libc-locales at sourceware dot org
Flags: security?
Tavis Ormandy reported that iconv_open mishandles // transliteration
specifiers:
http://www.openwall.com/lists/oss-security/2014/07/14/1
The cause is in __gconv_translit_find:
cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
trans->name, name_len);
if (need_so)
memcpy (cp, ".so", sizeof (".so"));
cp points *after* the NUL terminator, so the memcpy call does not actually
append ".so", but copies four bytes starting after the terminating NUL
character, not changing the string at all?and writing a single NUL byte after
the end of the buffer.
--
You are receiving this mail because:
You are on the CC list for the bug.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic