oss-sec mailing list archives

Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues)

From: John Haxby <john.haxby () oracle com>
Date: Thu, 14 Aug 2014 14:08:16 +0100

On 13/08/14 07:01, cve-assign () mitre org wrote:

iconv/gconv_charset.h:strip() normalizes the transliteration argument to
iconv_open, so the resulting file names follow a particular pattern, and
there cannot be enough slashes to ascend to a writable directory.

if not maybe the one byte overflow is still exploitable.


Hmm.  How likely is that?  It overflows in to malloc metadata, and the
glibc malloc hardening should catch that these days.

Not necessarily on 32-bit architectures, so I agree with Tavis now, and
we need a CVE.  The upstream bug is:

   <https://sourceware.org/bugzilla/show_bug.cgi?id=17187>


Use CVE-2014-5119. A CVE-2005-#### number isn't needed because the
msg00091.html message (referenced in 17187) does not state any
security implications.


That's correct.  Neither I nor any of the readers of my original bug
report commented on any possible security implications.  (Mind you, in
2005 I was probably a little more naïve.)

jch

Current thread:

glibc locale issues Tavis Ormandy (Jul 13)
- Re: glibc locale issues Tavis Ormandy (Jul 13)
  - Re: Re: glibc locale issues Florian Weimer (Jul 21)
    - Re: Re: glibc locale issues Tavis Ormandy (Jul 21)
    - [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) Florian Weimer (Jul 29)
    - Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) cve-assign (Aug 12)
    - Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) John Haxby (Aug 14)
    - Re: Re: [CVE Request] glibc iconv_open buffer overflow (was: Re: [oss-security] Re: glibc locale issues) Tavis Ormandy (Aug 14)