The nargs value can overflow when doing allocations, and argument-based offsets are not bounds-checked, allowing arbitrary memory writes via format strings, bypassing _FORTIFY_SOURCE protections:
Patch in progress:
Fixed in git head, this should be backported to all active branches.
FYI, a comment form Laszlo Ersek in Red Hat BZ:
The easiest fix would have been to restrict "nargs" to NL_ARGMAX.
Tomas, could you or Laszlo bring this up on libc-alpha, please?
(In reply to comment #3)
> Tomas, could you or Laszlo bring this up on libc-alpha, please?
This was posted in:
Replies indicate it is preferred to limit nargs by available memory rather than using an arbitrary limit, i.e. what Kees' patch was doing already.
Related commit links for posterity:
so I am marking this bug as fixed.
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.