Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <53ECB4C0.6030302@oracle.com>
Date: Thu, 14 Aug 2014 14:08:16 +0100
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com, fweimer@...hat.com
CC: cve-assign@...re.org
Subject: Re: Re: [CVE Request] glibc iconv_open buffer overflow
 (was: Re: Re: glibc locale issues)

On 13/08/14 07:01, cve-assign@...re.org wrote:
>>> iconv/gconv_charset.h:strip() normalizes the transliteration argument to
>>> iconv_open, so the resulting file names follow a particular pattern, and
>>> there cannot be enough slashes to ascend to a writable directory.
>>>
>>>> if not maybe the one byte overflow is still exploitable.
>>>
>>> Hmm.  How likely is that?  It overflows in to malloc metadata, and the
>>> glibc malloc hardening should catch that these days.
> 
>> Not necessarily on 32-bit architectures, so I agree with Tavis now, and
>> we need a CVE.  The upstream bug is:
> 
>>    <https://sourceware.org/bugzilla/show_bug.cgi?id=17187>
> 
> Use CVE-2014-5119. A CVE-2005-#### number isn't needed because the
> msg00091.html message (referenced in 17187) does not state any
> security implications.

That's correct.  Neither I nor any of the readers of my original bug
report commented on any possible security implications.  (Mind you, in
2005 I was probably a little more naïve.)

jch

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.