An integer overflow, leading to buffer overflow flaw was found in the way the implementation of strcoll() routine, used to compare two strings based on the current locale, of glibc, the GNU libc libraries, performed calculation of memory requirements / allocation, needed for storage of the strings. If an application linked against glibc was missing an application-level sanity checks for validity of strcoll() arguments and accepted untrusted input, an attacker could use this flaw to cause the particular application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Upstream bug report (including reproducer):
Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or
libc6) 2.17 and earlier allows context-dependent attackers to cause a denial
of service (crash) or possibly execute arbitrary code via a long string,
which triggers a heap-based buffer overflow.
Fixed in master, see . Any chance on getting a backport of the fixes?
Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka
glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause
a denial of service (crash) or possibly execute arbitrary code via a long
string that triggers a malloc failure and use of the alloca function.
Maintainer(s), please drop the vulnerable version(s).
Added to an existing GLSA Request.
This issue was resolved and addressed in
GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).