[Bug localedata/17187] New: Out-of-bounds NUL write in iconv_open
fweimer at redhat dot com
sourceware-bugzilla@sourceware.org
Mon Jul 21 12:20:00 GMT 2014
https://sourceware.org/bugzilla/show_bug.cgi?id=17187
Bug ID: 17187
Summary: Out-of-bounds NUL write in iconv_open
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: localedata
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: libc-locales at sourceware dot org
Flags: security?
Tavis Ormandy reported that iconv_open mishandles // transliteration
specifiers:
http://www.openwall.com/lists/oss-security/2014/07/14/1
The cause is in __gconv_translit_find:
cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
trans->name, name_len);
if (need_so)
memcpy (cp, ".so", sizeof (".so"));
cp points *after* the NUL terminator, so the memcpy call does not actually
append ".so", but copies four bytes starting after the terminating NUL
character, not changing the string at all—and writing a single NUL byte after
the end of the buffer.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Libc-locales
mailing list