oss-sec mailing list archives
CVE request: glibc formatted printing vulnerabilities
From: Stefan Cornelius <scorneli () redhat com>
Date: Wed, 11 Jul 2012 12:32:35 +0200
Hi, there are further vulnerabilities in glibc's formatted printing functionality. 1) It was discovered that the formatted printing functionality in glibc did not properly honor the size of a structure when calculating the amount of memory to allocate. A remote attacker could provide a specially crafted sequence of format specifiers, leading to an undersized buffer allocation and subsequent stack corruption, resulting in a crash or, potentially, FORTIFY_SOURCE format string protection mechanism bypass, when processed. References: http://sourceware.org/bugzilla/show_bug.cgi?id=12445 http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=84a4211850e3d23a9d3a4f3b294752a3b30bc0ff https://bugzilla.redhat.com/show_bug.cgi?id=833703 2) It was discovered that the formatted printing functionality in glibc used extend_alloca() incorrectly. "nspecs_max" is incorrectly passed to extend_alloca, which modifies the value in "nspecs_max" when allocating the memory. A remote attacker could provide a specially crafted sequence of format specifiers, leading to a desynchronization within the buffer size handling, resulting in the use of uninitialized memory or, potentially, FORTIFY_SOURCE format string protection mechanism bypass, when processed. References: http://sourceware.org/bugzilla/show_bug.cgi?id=13446 http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a4647e727a2a52e1259474c13f4b13288938bed4 https://bugzilla.redhat.com/show_bug.cgi?id=833704 It seems like 1) and 2) were introduced by the following commit: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1d498daa95384e5c9ad5bcb35e7a996e5869ac39 3) It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). A remote attacker could provide a specially crafted sequence of format specifiers, leading to a crash or, potentially, FORTIFY_SOURCE format string protection mechanism bypass, when processed. References: https://bugzilla.redhat.com/show_bug.cgi?id=826943 Red Hat patch backports/testcases for RHEL6 that include a patch for this: https://bugzilla.redhat.com/attachment.cgi?id=594722&action=diff Red Hat patch backport/testcase for RHEL5 (older glibc versions) https://bugzilla.redhat.com/attachment.cgi?id=594727&action=diff Thanks in advance and kind regards -- Stefan Cornelius / Red Hat Security Response Team
Current thread:
- CVE request: glibc formatted printing vulnerabilities Stefan Cornelius (Jul 11)
- Re: CVE request: glibc formatted printing vulnerabilities Kurt Seifried (Jul 11)
- Re: CVE request: glibc formatted printing vulnerabilities Kees Cook (Jul 11)
- Re: CVE request: glibc formatted printing vulnerabilities Stefan Cornelius (Jul 11)