* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
@ 2011-12-15 21:01 ` eggert at gnu dot org
2011-12-15 21:45 ` law at redhat dot com
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: eggert at gnu dot org @ 2011-12-15 21:01 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
Paul Eggert <eggert at gnu dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #6113|0 |1
is obsolete| |
--- Comment #1 from Paul Eggert <eggert at gnu dot org> 2011-12-15 21:00:49 UTC ---
Created attachment 6114
--> http://sourceware.org/bugzilla/attachment.cgi?id=6114
catch multiplication as well as addition overflows
Jeff Law's work-in-progress patch misses some problematic overflows. This is
because the integer multiplications may overflow too. Attached is an
untested patch that catches the problematic overflows that I found
by inspection. This patch does not attempt to catch all overflows, only
those that might corrupt memory.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
2011-12-15 21:01 ` [Bug libc/13506] " eggert at gnu dot org
@ 2011-12-15 21:45 ` law at redhat dot com
2011-12-15 23:06 ` vapier at gentoo dot org
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: law at redhat dot com @ 2011-12-15 21:45 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
law at redhat dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |law at redhat dot com
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
2011-12-15 21:01 ` [Bug libc/13506] " eggert at gnu dot org
2011-12-15 21:45 ` law at redhat dot com
@ 2011-12-15 23:06 ` vapier at gentoo dot org
2011-12-16 8:38 ` rguenth at gcc dot gnu.org
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: vapier at gentoo dot org @ 2011-12-15 23:06 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
Mike Frysinger <vapier at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |toolchain at gentoo dot org
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (2 preceding siblings ...)
2011-12-15 23:06 ` vapier at gentoo dot org
@ 2011-12-16 8:38 ` rguenth at gcc dot gnu.org
2011-12-16 10:48 ` allan at archlinux dot org
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: rguenth at gcc dot gnu.org @ 2011-12-16 8:38 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
Richard Guenther <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rguenth at gcc dot gnu.org
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (3 preceding siblings ...)
2011-12-16 8:38 ` rguenth at gcc dot gnu.org
@ 2011-12-16 10:48 ` allan at archlinux dot org
2011-12-16 10:54 ` mpolacek at redhat dot com
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: allan at archlinux dot org @ 2011-12-16 10:48 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
Allan McRae <allan at archlinux dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |allan at archlinux dot org
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (4 preceding siblings ...)
2011-12-16 10:48 ` allan at archlinux dot org
@ 2011-12-16 10:54 ` mpolacek at redhat dot com
2011-12-18 1:19 ` drepper.fsp at gmail dot com
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: mpolacek at redhat dot com @ 2011-12-16 10:54 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
Marek Polacek <mpolacek at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mpolacek at redhat dot com
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (5 preceding siblings ...)
2011-12-16 10:54 ` mpolacek at redhat dot com
@ 2011-12-18 1:19 ` drepper.fsp at gmail dot com
2011-12-19 5:36 ` vapier at gentoo dot org
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-12-18 1:19 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #2 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-12-18 01:19:35 UTC ---
I added a patch.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (6 preceding siblings ...)
2011-12-18 1:19 ` drepper.fsp at gmail dot com
@ 2011-12-19 5:36 ` vapier at gentoo dot org
2011-12-19 5:52 ` allan at archlinux dot org
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: vapier at gentoo dot org @ 2011-12-19 5:36 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
Mike Frysinger <vapier at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |vapier at gentoo dot org
--- Comment #3 from Mike Frysinger <vapier at gentoo dot org> 2011-12-19 05:35:35 UTC ---
http://sourceware.org/git/?p=glibc.git;a=commit;h=97ac2654b2d831acaa18a2b018b0736245903fd2
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (7 preceding siblings ...)
2011-12-19 5:36 ` vapier at gentoo dot org
@ 2011-12-19 5:52 ` allan at archlinux dot org
2011-12-19 7:59 ` law at redhat dot com
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: allan at archlinux dot org @ 2011-12-19 5:52 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
--- Comment #4 from Allan McRae <allan at archlinux dot org> 2011-12-19 05:50:57 UTC ---
Note that there is a typo in that patch. The "tzspec == 0" should be
"tzspec_len == 0". I sent the trivial patch to the mailing list (awaiting
moderation).
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (8 preceding siblings ...)
2011-12-19 5:52 ` allan at archlinux dot org
@ 2011-12-19 7:59 ` law at redhat dot com
2011-12-21 23:58 ` drepper.fsp at gmail dot com
2014-06-27 11:30 ` [Bug libc/13506] tzfile.c heap overrun/corruption (CVE-2009-5029) fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: law at redhat dot com @ 2011-12-19 7:59 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
--- Comment #5 from law at redhat dot com 2011-12-19 07:57:44 UTC ---
Also looks like s390 won't build because SIZE_MAX is not defined. Guessing
stdint.h needs to be included in tzfile.c
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (9 preceding siblings ...)
2011-12-19 7:59 ` law at redhat dot com
@ 2011-12-21 23:58 ` drepper.fsp at gmail dot com
2014-06-27 11:30 ` [Bug libc/13506] tzfile.c heap overrun/corruption (CVE-2009-5029) fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-12-21 23:58 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13506
--- Comment #6 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-12-21 23:58:14 UTC ---
(In reply to comment #5)
> Also looks like s390 won't build because SIZE_MAX is not defined. Guessing
> stdint.h needs to be included in tzfile.c
The correct change is to make the s390 header look like the x86-64 headers.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug libc/13506] tzfile.c heap overrun/corruption (CVE-2009-5029)
2011-12-15 20:45 [Bug libc/13506] New: tzfile.c heap overrun/corruption eggert at gnu dot org
` (10 preceding siblings ...)
2011-12-21 23:58 ` drepper.fsp at gmail dot com
@ 2014-06-27 11:30 ` fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2014-06-27 11:30 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13506
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Summary|tzfile.c heap |tzfile.c heap
|overrun/corruption |overrun/corruption
| |(CVE-2009-5029)
Alias| |CVE-2009-5029
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread