The nargs value can overflow when doing allocations, and argument-based offsets are not bounds-checked, allowing arbitrary memory writes via format strings, bypassing _FORTIFY_SOURCE protections: http://www.phrack.org/issues.html?issue=67&id=9 Patch in progress: http://cygwin.com/ml/libc-alpha/2012-02/msg00016.html
Fixed in git head, this should be backported to all active branches.
FYI, a comment form Laszlo Ersek in Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=794766#c8 The easiest fix would have been to restrict "nargs" to NL_ARGMAX. http://www.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html#tag_13_23_03_07
Tomas, could you or Laszlo bring this up on libc-alpha, please?
(In reply to comment #3) > Tomas, could you or Laszlo bring this up on libc-alpha, please? This was posted in: http://sourceware.org/ml/libc-alpha/2012-03/msg00101.html Replies indicate it is preferred to limit nargs by available memory rather than using an arbitrary limit, i.e. what Kees' patch was doing already. Related commit links for posterity: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fa0355175d60ccf610c98f2345504603d3b8ea57
Fix committed: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e so I am marking this bug as fixed.
*** Bug 260998 has been marked as a duplicate of this bug. *** Seen from the domain http://volichat.com Page where seen: http://volichat.com/adult-chat-rooms Marked for reference. Resolved as fixed @bugzilla.