This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] __gconv_translit_find: Actually append ".so" to module name [BZ #17187]
- From: Florian Weimer <fweimer at redhat dot com>
- To: Roland McGrath <roland at hack dot frob dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, taviso at google dot com
- Date: Tue, 29 Jul 2014 07:50:46 +0200
- Subject: Re: [PATCH] __gconv_translit_find: Actually append ".so" to module name [BZ #17187]
- Authentication-results: sourceware.org; auth=none
- References: <53CD0F15 dot 3030806 at redhat dot com> <20140728230221 dot 66D7A2C3994 at topped-with-meat dot com>
On 07/29/2014 01:02 AM, Roland McGrath wrote:
The original reporter (Tavis) considers this a security issue. I don't see
anything in bugzilla or in your posting that indicates your assessment of
the security impact of the bug. I can only surmise from the fact that you
made the bug and fix public rather than following CVE/embargo processes
that you don't deem it especially sensitive.
The bug was reported publicly to a security-related mailing list. At
this point, it's difficult to put back the toothpaste into the tube.
My assessment is "not exploitable" because it's a NUL byte written into
malloc metadata. But Tavis disagrees. He is usually right. And that's
why I'm not really sure.
The fix itself looks fine. It should certainly have a test first if at all
possible, though.
IIUC the bug has two effects: a one-byte buffer overrun of a malloc'd
internal buffer; and failure to open the conversion module DSO.
I'm a bit at a loss how to trigger the second part, but I'll give it a try.
--
Florian Weimer / Red Hat Product Security