oss-sec mailing list archives
Re: Re: glibc locale issues
From: Florian Weimer <fweimer () redhat com>
Date: Mon, 21 Jul 2014 14:17:47 +0200
On 07/14/2014 04:15 AM, Tavis Ormandy wrote:
Tavis Ormandy <taviso () cmpxchg8b com> wrote:I just remembered another charset issues I had looked into but abandoned. First of all, I think the need_so logic in gconv_trans is broken, but even if it worked there is an off by one error in __gconv_translit_find() (it does + 3 instead of + 3 + 1 in the allocation.To be clear, I suspect this is exploitable. It would be nice if you could modify the buffer such that gconv will open a path with a string you've appended it (e.g. CHARSET=//. pkexec ./../../../../tmp/foo.so),
This is about the glib part and the alias processing, right?iconv/gconv_charset.h:strip() normalizes the transliteration argument to iconv_open, so the resulting file names follow a particular pattern, and there cannot be enough slashes to ascend to a writable directory.
if not maybe the one byte overflow is still exploitable.
Hmm. How likely is that? It overflows in to malloc metadata, and the glibc malloc hardening should catch that these days.
-- Florian Weimer / Red Hat Product Security
Current thread:
- glibc locale issues Tavis Ormandy (Jul 13)
- Re: glibc locale issues Tavis Ormandy (Jul 13)
- Re: Re: glibc locale issues Florian Weimer (Jul 21)
- Re: Re: glibc locale issues Tavis Ormandy (Jul 21)
- [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) Florian Weimer (Jul 29)
- Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) cve-assign (Aug 12)
- Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) John Haxby (Aug 14)
- Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) Tavis Ormandy (Aug 14)
- Re: Re: glibc locale issues Florian Weimer (Jul 21)
- Re: glibc locale issues Tavis Ormandy (Jul 13)