oss-sec mailing list archives
Re: glibc locale issues
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Sun, 13 Jul 2014 19:15:32 -0700
Tavis Ormandy <taviso () cmpxchg8b com> wrote:
I just remembered another charset issues I had looked into but abandoned. First of all, I think the need_so logic in gconv_trans is broken, but even if it worked there is an off by one error in __gconv_translit_find() (it does + 3 instead of + 3 + 1 in the allocation.
To be clear, I suspect this is exploitable. It would be nice if you could modify the buffer such that gconv will open a path with a string you've appended it (e.g. CHARSET=//. pkexec ./../../../../tmp/foo.so), if not maybe the one byte overflow is still exploitable. You have a reasonable amount of control, e.g. CHARSET=//AAAAA pkexec $(perl -e 'print "A" x 125' Tavis.
Current thread:
- glibc locale issues Tavis Ormandy (Jul 13)
- Re: glibc locale issues Tavis Ormandy (Jul 13)
- Re: Re: glibc locale issues Florian Weimer (Jul 21)
- Re: Re: glibc locale issues Tavis Ormandy (Jul 21)
- [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) Florian Weimer (Jul 29)
- Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) cve-assign (Aug 12)
- Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) John Haxby (Aug 14)
- Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) Tavis Ormandy (Aug 14)
- Re: Re: glibc locale issues Florian Weimer (Jul 21)
- Re: glibc locale issues Tavis Ormandy (Jul 13)