13656 2012-02-02 20:52:00 +0000 vfprintf nargs integer overflow 2012-03-09 08:36:47 +0000 1 1 1 Unclassified glibc stdio unspecified All All RESOLVED FIXED glibc_2.14, glibc_2.15 P2 normal --- 1 kees carlos aj eggert thoger 52908 kees 2012-02-02 20:52:43 +0000 The nargs value can overflow when doing allocations, and argument-based offsets are not bounds-checked, allowing arbitrary memory writes via format strings, bypassing _FORTIFY_SOURCE protections: http://www.phrack.org/issues.html?issue=67&id=9 Patch in progress: http://cygwin.com/ml/libc-alpha/2012-02/msg00016.html 53767 aj 2012-03-05 09:38:00 +0000 Fixed in git head, this should be backported to all active branches. 53768 thoger 2012-03-05 09:56:50 +0000 FYI, a comment form Laszlo Ersek in Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=794766#c8 The easiest fix would have been to restrict "nargs" to NL_ARGMAX. http://www.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html#tag_13_23_03_07 53770 aj 2012-03-05 10:09:26 +0000 Tomas, could you or Laszlo bring this up on libc-alpha, please? 53809 thoger 2012-03-06 14:42:32 +0000 (In reply to comment #3) > Tomas, could you or Laszlo bring this up on libc-alpha, please? This was posted in: http://sourceware.org/ml/libc-alpha/2012-03/msg00101.html Replies indicate it is preferred to limit nargs by available memory rather than using an arbitrary limit, i.e. what Kees' patch was doing already. Related commit links for posterity: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fa0355175d60ccf610c98f2345504603d3b8ea57 53892 eggert 2012-03-09 08:36:47 +0000 Fix committed: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e so I am marking this bug as fixed.