| Summary: | vfprintf nargs integer overflow (CVE-2012-0864) | ||
|---|---|---|---|
| Product: | glibc | Reporter: | Kees Cook <kees> |
| Component: | stdio | Assignee: | Carlos O'Donell <carlos> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | aj, eggert, fweimer, thoger |
| Priority: | P2 | Keywords: | glibc_2.14, glibc_2.15 |
| Version: | unspecified | Flags: | fweimer:
security+
|
| Target Milestone: | --- | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | ||
|
Description
Kees Cook
2012-02-02 20:52:43 UTC
Fixed in git head, this should be backported to all active branches. FYI, a comment form Laszlo Ersek in Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=794766#c8 The easiest fix would have been to restrict "nargs" to NL_ARGMAX. http://www.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html#tag_13_23_03_07 Tomas, could you or Laszlo bring this up on libc-alpha, please? (In reply to comment #3) > Tomas, could you or Laszlo bring this up on libc-alpha, please? This was posted in: http://sourceware.org/ml/libc-alpha/2012-03/msg00101.html Replies indicate it is preferred to limit nargs by available memory rather than using an arbitrary limit, i.e. what Kees' patch was doing already. Related commit links for posterity: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fa0355175d60ccf610c98f2345504603d3b8ea57 Fix committed: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e so I am marking this bug as fixed. *** Bug 260998 has been marked as a duplicate of this bug. *** Seen from the domain http://volichat.com Page where seen: http://volichat.com/adult-chat-rooms Marked for reference. Resolved as fixed @bugzilla. |