oss-sec mailing list archives
Re: coreutils sort heap overflow
From: cve-assign () mitre org
Date: Tue, 19 May 2015 15:36:54 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
a heap overflow can be triggered in sort(1) as per: https://bugzilla.suse.com/show_bug.cgi?id=928749 https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940
src/sort.c (keycompare_mb) ... The current implementation is character based, so we allocate the worst case size for the conversion buffer, which is MB_CUR_MAX for each input byte.
This appears to be caused by performing a size calculation without properly considering the number of bytes occupied by multibyte characters. Use CVE-2015-4041.
https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940
There is also a theoretical buffer overflow with data around SIZE_MAX/2.
This appears to be related to the new "SIZE_MAX - lenb - 2 < lena" test, which is not specifically associated with use of multibyte characters. Use CVE-2015-4042. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVW5B2AAoJEKllVAevmvmsTCYIALr2h2N45b4ENpHrfUechDFZ q2cJqpoDUJ3B4PSendkoh9BeH7fwwVVgSwXJpVtU0vaJOh0SXsioNahkuCpp0eA1 1v39Lki0eW5/ZDxDzqDcv7m9oLGmI4LjrShqUG11UJhsNQ+6lEJAtz7+VJllW/V4 NV1ixrRW/pCOpwX1Lp57KO1VSihbb+Iol+gWSTAFaJjn8DqrWrbWBVkVVk1rv3dW skkco5SKFUWJBdzPb/PkmEQ71kxXrlsEKBG5wrHHOKjIdQEj9fjnJ/HXo7AoEg1+ SLq0CV2nVZltIQXvPvxIBvO8a1tM9g+bLoDuCDhyfYG+rCDMkOEBN4nvXyc1+Mw= =BJHX -----END PGP SIGNATURE-----
Current thread:
- coreutils sort heap overflow Pádraig Brady (May 14)
- Re: coreutils sort heap overflow cve-assign (May 19)