This is the mail archive of the
libc-locales@sourceware.org
mailing list for the GNU libc locales project.
[Bug localedata/17187] New: Out-of-bounds NUL write in iconv_open
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: libc-locales at sourceware dot org
- Date: Mon, 21 Jul 2014 11:43:25 +0000
- Subject: [Bug localedata/17187] New: Out-of-bounds NUL write in iconv_open
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=17187
Bug ID: 17187
Summary: Out-of-bounds NUL write in iconv_open
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: localedata
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: libc-locales at sourceware dot org
Flags: security?
Tavis Ormandy reported that iconv_open mishandles // transliteration
specifiers:
http://www.openwall.com/lists/oss-security/2014/07/14/1
The cause is in __gconv_translit_find:
cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
trans->name, name_len);
if (need_so)
memcpy (cp, ".so", sizeof (".so"));
cp points *after* the NUL terminator, so the memcpy call does not actually
append ".so", but copies four bytes starting after the terminating NUL
character, not changing the string at allâand writing a single NUL byte after
the end of the buffer.
--
You are receiving this mail because:
You are on the CC list for the bug.