This is the mail archive of the libc-locales@sourceware.org mailing list for the GNU libc locales project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug localedata/17187] New: Out-of-bounds NUL write in iconv_open


https://sourceware.org/bugzilla/show_bug.cgi?id=17187

            Bug ID: 17187
           Summary: Out-of-bounds NUL write in iconv_open
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: localedata
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
                CC: libc-locales at sourceware dot org
             Flags: security?

Tavis Ormandy reported that iconv_open mishandles // transliteration
specifiers:

http://www.openwall.com/lists/oss-security/2014/07/14/1

The cause is in __gconv_translit_find:

          cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
                  trans->name, name_len);
          if (need_so)
        memcpy (cp, ".so", sizeof (".so"));

cp points *after* the NUL terminator, so the memcpy call does not actually
append ".so", but copies four bytes starting after the terminating NUL
character, not changing the string at allâand writing a single NUL byte after
the end of the buffer.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]