oss-sec mailing list archives
CVE-2020-28928: musl libc: wcsnrtombs destination buffer overflow
From: Rich Felker <dalias () libc org>
Date: Thu, 19 Nov 2020 18:47:22 -0500
The wcsnrtombs function in all musl libc versions up through 1.2.1 has been found to have multiple bugs in handling of destination buffer size when limiting the input character count, which can lead to infinite loop with no forward progress (no overflow) or writing past the end of the destination buffera. This function is not used internally in musl and is not widely used, but does appear in some applications. The non-input-limiting form wcsrtombs is not affected. All users of musl 1.2.1 and prior versions should apply the attached patch, which replaces the overly complex and erroneous implementation. The upcoming 1.2.2 release will adopt this new implementation.
Attachment:
wcsnrtombs-cve-2020-28928.diff
Description:
Current thread:
- CVE-2020-28928: musl libc: wcsnrtombs destination buffer overflow Rich Felker (Nov 20)