public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities
[not found] <bug-10600-131@http.sourceware.org/bugzilla/>
@ 2014-02-16 17:44 ` jackie.rosen at hushmail dot com
2014-05-28 19:42 ` schwab at sourceware dot org
` (3 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: jackie.rosen at hushmail dot com @ 2014-02-16 17:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10600
Jackie Rosen <jackie.rosen at hushmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jackie.rosen at hushmail dot com
--- Comment #4 from Jackie Rosen <jackie.rosen at hushmail dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities
[not found] <bug-10600-131@http.sourceware.org/bugzilla/>
2014-02-16 17:44 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities jackie.rosen at hushmail dot com
@ 2014-05-28 19:42 ` schwab at sourceware dot org
2014-06-13 10:59 ` fweimer at redhat dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: schwab at sourceware dot org @ 2014-05-28 19:42 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10600
Andreas Schwab <schwab at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|jackie.rosen at hushmail dot com |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities
[not found] <bug-10600-131@http.sourceware.org/bugzilla/>
2014-02-16 17:44 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities jackie.rosen at hushmail dot com
2014-05-28 19:42 ` schwab at sourceware dot org
@ 2014-06-13 10:59 ` fweimer at redhat dot com
2014-07-02 10:50 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities (CVE-2008-1391) fweimer at redhat dot com
2014-07-02 10:50 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities fweimer at redhat dot com
4 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-06-13 10:59 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10600
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities
[not found] <bug-10600-131@http.sourceware.org/bugzilla/>
` (3 preceding siblings ...)
2014-07-02 10:50 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities (CVE-2008-1391) fweimer at redhat dot com
@ 2014-07-02 10:50 ` fweimer at redhat dot com
4 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-07-02 10:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10600
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 9707 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities (CVE-2008-1391)
[not found] <bug-10600-131@http.sourceware.org/bugzilla/>
` (2 preceding siblings ...)
2014-06-13 10:59 ` fweimer at redhat dot com
@ 2014-07-02 10:50 ` fweimer at redhat dot com
2014-07-02 10:50 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities fweimer at redhat dot com
4 siblings, 0 replies; 9+ messages in thread
From: fweimer at redhat dot com @ 2014-07-02 10:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=10600
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|stdio/strfmon.c multiple |stdio/strfmon.c multiple
|vulnerabilities |vulnerabilities
| |(CVE-2008-1391)
Alias| |CVE-2008-1391
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities
2009-09-03 20:31 [Bug libc/10600] New: " cxib at securityreason dot com
` (2 preceding siblings ...)
2009-10-13 16:33 ` thoger at redhat dot com
@ 2009-10-30 4:36 ` drepper at redhat dot com
3 siblings, 0 replies; 9+ messages in thread
From: drepper at redhat dot com @ 2009-10-30 4:36 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From drepper at redhat dot com 2009-10-30 04:36 -------
Only 32-bit had a problem and it's fixed.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
http://sourceware.org/bugzilla/show_bug.cgi?id=10600
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities
2009-09-03 20:31 [Bug libc/10600] New: " cxib at securityreason dot com
2009-09-23 16:44 ` [Bug libc/10600] " thoger at redhat dot com
2009-09-29 18:53 ` kees at outflux dot net
@ 2009-10-13 16:33 ` thoger at redhat dot com
2009-10-30 4:36 ` drepper at redhat dot com
3 siblings, 0 replies; 9+ messages in thread
From: thoger at redhat dot com @ 2009-10-13 16:33 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From thoger at redhat dot com 2009-10-13 16:33 -------
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=199eb0de8d
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10600
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities
2009-09-03 20:31 [Bug libc/10600] New: " cxib at securityreason dot com
2009-09-23 16:44 ` [Bug libc/10600] " thoger at redhat dot com
@ 2009-09-29 18:53 ` kees at outflux dot net
2009-10-13 16:33 ` thoger at redhat dot com
2009-10-30 4:36 ` drepper at redhat dot com
3 siblings, 0 replies; 9+ messages in thread
From: kees at outflux dot net @ 2009-09-29 18:53 UTC (permalink / raw)
To: glibc-bugs
--
What |Removed |Added
----------------------------------------------------------------------------
CC| |kees at outflux dot net
http://sourceware.org/bugzilla/show_bug.cgi?id=10600
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities
2009-09-03 20:31 [Bug libc/10600] New: " cxib at securityreason dot com
@ 2009-09-23 16:44 ` thoger at redhat dot com
2009-09-29 18:53 ` kees at outflux dot net
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: thoger at redhat dot com @ 2009-09-23 16:44 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From thoger at redhat dot com 2009-09-23 16:44 -------
(In reply to comment #0)
> Affected Software (tested 27.08.2009):
> - Fedora 11
> - Slackware 12.2
> - Ubuntu 9.04
> - others linux distributions
Look like you should be listing architectures here too, as they do seem to
matter here.
> ---
> And what exactly does an BSD implementation has to do with glibc?
> ---
That sounds like a reference to:
http://sourceware.org/bugzilla/show_bug.cgi?id=9707
Further on, I'll be quoting this advisory:
http://securityreason.com/achievement_securityalert/67
> Let's see libc/stdlib/strfmon_l.c (glibc rev-1.5.2.4)
...
> if (width > LONG_MAX / 10
> || (width == LONG_MAX && val > LONG_MAX % 10))
> {
> __set_errno (E2BIG);
> return -1;
> }
...
> if (width >= maxsize - (dest - s))
> {
> __set_errno (E2BIG);
> return -1;
> }
..
> Perfect. The above code protects us.
For the posterity and completeness of references, integer overflow check was
added via following commit:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=153aa31b93be22e01b236375fb02a9f9b9a0195f
This sounds like a reason why your original vector %99999999999999999999n does
not work any more.
> But what is below, is a mistake already
This seems to refer to missing integer overflows checks in the code converting
left_prec / right_prec from string to number, as similar approach is used there
as for converting width:
http://sourceware.org/git/?p=glibc.git;a=blob;f=stdlib/strfmon_l.c#l242
http://sourceware.org/git/?p=glibc.git;a=blob;f=stdlib/strfmon_l.c#l259
But wait, how does that explain a crash on "%.1073741821i"? 1073741821 is less
than 2^31, so it won't overflow (signed) integer on either 32 bit or 64 bit
architectures, right?
> info.width = left_prec + (right_prec ? (right_prec + 1) : 0);
This should not overflow either, as left_prec is 0 here. So the problem seems
to be elsewhere...
So let's ignore srtfmon for a while and try something more simple:
printf("%.1073741821f\n", 0.0);
Testing this on F11 glibc-2.10.1, this crashes when compiled with -m32, but does
not with -m64. Little more looking leads to:
http://sourceware.org/git/?p=glibc.git;a=blob;f=stdio-common/printf_fp.c#l890
This is where integer overflow occurs (when computing wbuffer_to_alloc). It
should also explain where do ~1gig memory usage come from with your
"%.1343741821i" test.
Ulrich, I bet your knowledge of this code is a lot better than reporter's and
mine combined, so you can come up with proper fix. I just hope this additional
info does help. Is it enough for NEW -> ASSIGNED state change.
--
What |Removed |Added
----------------------------------------------------------------------------
CC| |thoger at redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=10600
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2014-07-02 10:50 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-10600-131@http.sourceware.org/bugzilla/>
2014-02-16 17:44 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities jackie.rosen at hushmail dot com
2014-05-28 19:42 ` schwab at sourceware dot org
2014-06-13 10:59 ` fweimer at redhat dot com
2014-07-02 10:50 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities (CVE-2008-1391) fweimer at redhat dot com
2014-07-02 10:50 ` [Bug libc/10600] stdio/strfmon.c multiple vulnerabilities fweimer at redhat dot com
2009-09-03 20:31 [Bug libc/10600] New: " cxib at securityreason dot com
2009-09-23 16:44 ` [Bug libc/10600] " thoger at redhat dot com
2009-09-29 18:53 ` kees at outflux dot net
2009-10-13 16:33 ` thoger at redhat dot com
2009-10-30 4:36 ` drepper at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).