from securiteam.com: Libsafe is "a library that protect critical elements of stacks". Due to a bug in libsafe attackers can bypass libsafe checking and exploit a vulnerability contained inside libsafe protected multi-threaded application. Reproducible: Always Steps to Reproduce: Vulnerable Systems: * libsafe version 2.0.16 As a example look at the code situated at the safe function strcpy(): char *strcpy(char *dest, const char *src) { ... if (!real_strcpy) real_strcpy = (strcpy_t) getLibraryFunction("strcpy"); ... if ((max_size = _libsafe_stackVariableP(dest)) == 0) { LOG(5, "strcpy(<heap var> , <src>)\n"); return real_strcpy(dest, src); } ... if ((len = strnlen(src, max_size)) == max_size) _libsafe_die("Overflow caused by strcpy()"); ... Function _libsafe_stackVariableP() checked length beetwen buffor and stack frame. It should return 0 only in case when address does not point to a stack variable. Look at the function code: uint _libsafe_stackVariableP(void *addr) { ... /* * If _libsafe_die() has been called, then we don't need to do anymore * libsafe checking. */ if (dying) return 0; ... Function _libsafe_die() is called then attack is detected, variable "dying" is set and at least aplication is killed. In case of multi-threaded programs, it is possible to make attack before the end of _libsafe_die(), during the time while checking is not active. ------ There also seems to be an unofficial fix in the site.
*** This bug has been marked as a duplicate of 89246 ***
