oss-sec mailing list archives
Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues)
From: John Haxby <john.haxby () oracle com>
Date: Thu, 14 Aug 2014 14:08:16 +0100
On 13/08/14 07:01, cve-assign () mitre org wrote:
iconv/gconv_charset.h:strip() normalizes the transliteration argument to iconv_open, so the resulting file names follow a particular pattern, and there cannot be enough slashes to ascend to a writable directory.if not maybe the one byte overflow is still exploitable.Hmm. How likely is that? It overflows in to malloc metadata, and the glibc malloc hardening should catch that these days.Not necessarily on 32-bit architectures, so I agree with Tavis now, and we need a CVE. The upstream bug is:<https://sourceware.org/bugzilla/show_bug.cgi?id=17187>Use CVE-2014-5119. A CVE-2005-#### number isn't needed because the msg00091.html message (referenced in 17187) does not state any security implications.
That's correct. Neither I nor any of the readers of my original bug report commented on any possible security implications. (Mind you, in 2005 I was probably a little more naïve.) jch
Current thread:
- glibc locale issues Tavis Ormandy (Jul 13)
- Re: glibc locale issues Tavis Ormandy (Jul 13)
- Re: Re: glibc locale issues Florian Weimer (Jul 21)
- Re: Re: glibc locale issues Tavis Ormandy (Jul 21)
- [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) Florian Weimer (Jul 29)
- Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) cve-assign (Aug 12)
- Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) John Haxby (Aug 14)
- Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) Tavis Ormandy (Aug 14)
- Re: Re: glibc locale issues Florian Weimer (Jul 21)
- Re: glibc locale issues Tavis Ormandy (Jul 13)