Re: CVE Request -- glibc: strcoll() integer overflow leading to buffer overflow + another alloca() stack overflow issue (upstream #14547 && #14552)

[Jeff Law <law () redhat com>]

On 09/07/2012 11:21 AM, Kurt Seifried wrote:
> > 2) Issue #2 (mentioned here only for completeness, but I am not of
> > the opinion this should receive a CVE identifier. See argumentation
> > below [but open to glibc upstream / others to disprove it]).
>
> I will hold off on issuing a CVE for this then. Anyone want to weigh in?
> > alloca() stack overflow (first issue from the report below)
> > Upstream bug report: [3]
> > http://sourceware.org/bugzilla/show_bug.cgi?id=14552
> >
> > If I have looked correctly this is expected / known behaviour of
> > alloca() - from the manual page: [4]
> > http://linux.die.net/man/3/alloca
Just because it's known/expected behaviour doesn't mean it's not a 
potential attack vector.  Blowing out the stack is definitely a vector 
for attack:

http://www.phrack.org/issues.html?issue=67&id=9#article
http://www.phrack.com/issues.html?issue=63&id=14#article

Jeff