oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: coreutils sort heap overflow

From: cve-assign () mitre org
Date: Tue, 19 May 2015 15:36:54 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


a heap overflow can be triggered in sort(1) as per:
https://bugzilla.suse.com/show_bug.cgi?id=928749
https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940



src/sort.c (keycompare_mb) ... The current implementation is character
based, so we allocate the worst case size for the conversion buffer,
which is MB_CUR_MAX for each input byte.


This appears to be caused by performing a size calculation without
properly considering the number of bytes occupied by multibyte
characters. Use CVE-2015-4041.



https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940



There is also a theoretical buffer overflow with data around
SIZE_MAX/2.


This appears to be related to the new "SIZE_MAX - lenb - 2 < lena"
test, which is not specifically associated with use of multibyte
characters. Use CVE-2015-4042.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVW5B2AAoJEKllVAevmvmsTCYIALr2h2N45b4ENpHrfUechDFZ
q2cJqpoDUJ3B4PSendkoh9BeH7fwwVVgSwXJpVtU0vaJOh0SXsioNahkuCpp0eA1
1v39Lki0eW5/ZDxDzqDcv7m9oLGmI4LjrShqUG11UJhsNQ+6lEJAtz7+VJllW/V4
NV1ixrRW/pCOpwX1Lp57KO1VSihbb+Iol+gWSTAFaJjn8DqrWrbWBVkVVk1rv3dW
skkco5SKFUWJBdzPb/PkmEQ71kxXrlsEKBG5wrHHOKjIdQEj9fjnJ/HXo7AoEg1+
SLq0CV2nVZltIQXvPvxIBvO8a1tM9g+bLoDuCDhyfYG+rCDMkOEBN4nvXyc1+Mw=
=BJHX
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: