oss-sec mailing list archives
Re: CVE request: glibc scanf implementation crashes on certain inputs
From: cve-assign () mitre org
Date: Thu, 12 Mar 2015 17:37:58 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://sourceware.org/bugzilla/show_bug.cgi?id=13138 causes scanf and related functions to crash when processing certain inputs. This happens with the numeric conversions (%d, %f and others), and includes valid numbers (ISO C allows crashes or worse on invalid inputs, but glibc is buggy even by this standard). The first glibc version which received the fix for this bug is 2.15.
Use CVE-2011-5320 for the https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c4 issue, i.e., the "huge string of zeros" attack vector. The scope of this CVE does not include the original "5"x21000000 input string for a %i argument. As far as we can tell, Bug 13138 doesn't resolve the question of whether a crash is a permitted behavior for that input. It seems that the relevant standards perhaps should have specified that that results in an ERANGE error without a crash, but the published wordings are not precise enough to determine whether unexpected "5"x21000000 handling is a vulnerability. Similarly, the scope of this CVE certainly does not include "string conversions that overflow the destination buffer" in the https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c3 comment. In that case, undefined behavior is the documented outcome, so we feel that there isn't a vulnerability. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVAgZmAAoJEKllVAevmvms/84H/0tjViMSuEM83gujKzVjRAB0 ulmErPQSY5BmgSux5DeLA2SQiYLEkX/0wpacjwytuHa2R6PBEWEJEj6PpRw6zUpQ /FOGwUeekpL6gmanOb8jRETDvyFXaDYqlwkRf/+UbUzEqKccRoM6lcV6asscafQL WIeo/tsz54lsXiUudHS8ZVIrCbO+BVOEKHGZ5RTlBm9cGryllf7fcnDgp6IkahHZ 2+nOAAtUq8gur0j/4HBDAoseUH+fvRkEJfC52wSrJAefV4SMF9JDrTqssnYgux1F xeQs0AZDDr2iGS5bkaxc2PZ14UcASex+mrYp6I0c7klvMcwDuWWQRZc3qTLJBPY= =RpzJ -----END PGP SIGNATURE-----
Current thread:
- CVE request: glibc scanf implementation crashes on certain inputs Florian Weimer (Feb 26)
- Re: CVE request: glibc scanf implementation crashes on certain inputs cve-assign (Mar 12)