This is the mail archive of the
mailing list for the glibc project.
Re: [ping5][PATCH][BZ15362] Fix fwrite() reading beyond end of buffer in error path
- From: Siddhesh Poyarekar <siddhesh at redhat dot com>
- To: Allan McRae <allan at archlinux dot org>
- Cc: Siddhesh Poyarekar <siddhesh dot poyarekar at gmail dot com>, Andreas Schwab <schwab at linux-m68k dot org>, Eric Biggers <ebiggers3 at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>, carlos at redhat dot com, "Joseph S. Myers" <joseph at codesourcery dot com>, Andreas Jaeger <aj at suse dot com>, Roland McGrath <roland at hack dot frob dot com>
- Date: Tue, 15 Oct 2013 10:36:22 +0530
- Subject: Re: [ping5][PATCH][BZ15362] Fix fwrite() reading beyond end of buffer in error path
- Authentication-results: sourceware.org; auth=none
- References: <20130922020321 dot GA9977 at zzz dot kirk dot macalester dot edu> <CAAHN_R15-MSp65h=gNEimj14Aa0f24jvGJqswCZEhyh0foCZUw at mail dot gmail dot com> <87pprbuc11 dot fsf at igel dot home> <CAAHN_R0D2Wiizzg4Sog=xSbH3PNbddgbvQEy0Jwo3yPmFfwJ3g at mail dot gmail dot com> <5258725F dot 8040703 at archlinux dot org>
On Sat, Oct 12, 2013 at 07:49:19AM +1000, Allan McRae wrote:
> On 12/10/13 03:07, Siddhesh Poyarekar wrote:
> > On 11 October 2013 19:48, Andreas Schwab <email@example.com> wrote:
> >> Just go ahead, nobody had objections.
> > Thanks, I've pushed this now.
> Does the potential information disclosure in this bug make it CVE worthy?
I'm not sure. It does allow reading beyond bounds of the input buffer
and possibly relaying that information into a file. However, this
would require causing the filesystem to return an error somehow and
that seems difficult. One could technically fill up the filesystem
and induce an error, but aren't quotas a defacto thing nowadays? The
other possibility may be bugs in the filesystem that may result in
spurious error return.