Re: CVE request: glibc formatted printing vulnerabilities

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/11/2012 04:32 AM, Stefan Cornelius wrote:
> Hi,
>
> there are further vulnerabilities in glibc's formatted printing 
> functionality.
>
> 1) It was discovered that the formatted printing functionality in
> glibc did not properly honor the size of a structure when
> calculating the amount of memory to allocate. A remote attacker
> could provide a specially crafted sequence of format specifiers,
> leading to an undersized buffer allocation and subsequent stack
> corruption, resulting in a crash or, potentially, FORTIFY_SOURCE
> format string protection mechanism bypass, when processed.
>
> References: http://sourceware.org/bugzilla/show_bug.cgi?id=12445 
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=84a4211850e3d23a9d3a4f3b294752a3b30bc0ff
https://bugzilla.redhat.com/show_bug.cgi?id=833703

Please use CVE-2012-3404 for this issue.

> 2) It was discovered that the formatted printing functionality in
> glibc used extend_alloca() incorrectly. "nspecs_max" is incorrectly
> passed to extend_alloca, which modifies the value in "nspecs_max"
> when allocating the memory. A remote attacker could provide a
> specially crafted sequence of format specifiers, leading to a
> desynchronization within the buffer size handling, resulting in the
> use of uninitialized memory or, potentially, FORTIFY_SOURCE format
> string protection mechanism bypass, when processed.
>
> References: http://sourceware.org/bugzilla/show_bug.cgi?id=13446 
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a4647e727a2a52e1259474c13f4b13288938bed4
https://bugzilla.redhat.com/show_bug.cgi?id=833704
> It seems like 1) and 2) were introduced by the following commit: 
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1d498daa95384e5c9ad5bcb35e7a996e5869ac39

Please
>
use CVE-2012-3405 for this issue.

> 3) It was discovered that the formatted printing functionality in
> glibc did not properly restrict the use of alloca(). A remote
> attacker could provide a specially crafted sequence of format
> specifiers, leading to a crash or, potentially, FORTIFY_SOURCE
> format string protection mechanism bypass, when processed.
>
> References: https://bugzilla.redhat.com/show_bug.cgi?id=826943
>
> Red Hat patch backports/testcases for RHEL6 that include a patch
> for this: 
> https://bugzilla.redhat.com/attachment.cgi?id=594722&action=diff
>
> Red Hat patch backport/testcase for RHEL5 (older glibc versions) 
> https://bugzilla.redhat.com/attachment.cgi?id=594727&action=diff

Please use CVE-2012-3406 for this issue.

> Thanks in advance and kind regards


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP/bVjAAoJEBYNRVNeJnmTb24P/2w+i5usP05XnvmYY0QDeOE6
jzO98b9G4Dq94eKmjLpkDprb5BTtPFjw028rIn/GEqvKMKll2z0+VBUc9mFMvSxC
cdHeHlvxK7mdGFgFA+QfvEZ847/0Od7av6o2CQIy8p4SoNwM7gWT4FPHSNoVc73D
/zGM8qUm/HeStzmNZaFlF+7NFopBNegmRWA8sgXIjcmTVlFJr78qHA5uvSj0T6NG
Ve5ECwMxNMF0IkGyjFx2j49Ex+w+pQRXYwBZNeRQzRJ0SfuvEyeeWANnAy4zf7Aw
al6Ia2rWKHQm2a9LC0QoZdwRJ7y7nzvaKByiwX/LJ3Mukz4Rg56asfv9zdOIqTKk
XMydwTAW/PtwtGhgg8otSsJ8ysIm1D+lou8hLgaFzLMpVyuJsahqmM5gnOaDKnEa
06D6XwLOJyjTKstiWUGEpgDX8hwoD0qp/3YkxFGZ1Omi/Q5oZs7fUQFv1cXAYmdA
uJV7i/YJUXhKY2THM1tdCPg8zVZ3xLdWbQXhauRw3AwRjZrhTnkdLOQtI2NdzD/N
ZQ9pcM3xmJ5LUVrS/SeCLF11SQekh9nXPekwb+cXF0Nn5UzGnnwYnvGJf2dYHb7a
UslV9KlQnOGBwHFIopjBHNVNkOZAsWcFyGz8TiibxN3M7kdLlZqrdk1021gVVJC7
Z5GjSNFJWa4A6kOGcfuF
=g2X7
-----END PGP SIGNATURE-----