public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/13656] New: vfprintf nargs integer overflow
@ 2012-02-02 20:52 kees at outflux dot net
2012-02-05 13:02 ` [Bug libc/13656] " thoger at redhat dot com
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: kees at outflux dot net @ 2012-02-02 20:52 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13656
Bug #: 13656
Summary: vfprintf nargs integer overflow
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: kees@outflux.net
Classification: Unclassified
The nargs value can overflow when doing allocations, and argument-based offsets
are not bounds-checked, allowing arbitrary memory writes via format strings,
bypassing _FORTIFY_SOURCE protections:
http://www.phrack.org/issues.html?issue=67&id=9
Patch in progress:
http://cygwin.com/ml/libc-alpha/2012-02/msg00016.html
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug libc/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
@ 2012-02-05 13:02 ` thoger at redhat dot com
2012-02-21 2:39 ` [Bug stdio/13656] " jsm28 at gcc dot gnu.org
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: thoger at redhat dot com @ 2012-02-05 13:02 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13656
Tomas Hoger <thoger at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |thoger at redhat dot com
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
2012-02-05 13:02 ` [Bug libc/13656] " thoger at redhat dot com
@ 2012-02-21 2:39 ` jsm28 at gcc dot gnu.org
2012-03-05 9:39 ` aj at suse dot de
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-02-21 2:39 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13656
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |stdio
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
2012-02-05 13:02 ` [Bug libc/13656] " thoger at redhat dot com
2012-02-21 2:39 ` [Bug stdio/13656] " jsm28 at gcc dot gnu.org
@ 2012-03-05 9:39 ` aj at suse dot de
2012-03-05 9:57 ` thoger at redhat dot com
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: aj at suse dot de @ 2012-03-05 9:39 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13656
Andreas Jaeger <aj at suse dot de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |glibc_2.14, glibc_2.15
AssignedTo|drepper.fsp at gmail dot |carlos at systemhalted dot
|com |org
--- Comment #1 from Andreas Jaeger <aj at suse dot de> 2012-03-05 09:38:00 UTC ---
Fixed in git head, this should be backported to all active branches.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
` (2 preceding siblings ...)
2012-03-05 9:39 ` aj at suse dot de
@ 2012-03-05 9:57 ` thoger at redhat dot com
2012-03-05 10:10 ` aj at suse dot de
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: thoger at redhat dot com @ 2012-03-05 9:57 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13656
--- Comment #2 from Tomas Hoger <thoger at redhat dot com> 2012-03-05 09:56:50 UTC ---
FYI, a comment form Laszlo Ersek in Red Hat BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=794766#c8
The easiest fix would have been to restrict "nargs" to NL_ARGMAX.
http://www.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html#tag_13_23_03_07
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
` (3 preceding siblings ...)
2012-03-05 9:57 ` thoger at redhat dot com
@ 2012-03-05 10:10 ` aj at suse dot de
2012-03-06 14:43 ` thoger at redhat dot com
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: aj at suse dot de @ 2012-03-05 10:10 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13656
Andreas Jaeger <aj at suse dot de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |aj at suse dot de
--- Comment #3 from Andreas Jaeger <aj at suse dot de> 2012-03-05 10:09:26 UTC ---
Tomas, could you or Laszlo bring this up on libc-alpha, please?
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
` (4 preceding siblings ...)
2012-03-05 10:10 ` aj at suse dot de
@ 2012-03-06 14:43 ` thoger at redhat dot com
2012-03-09 8:37 ` eggert at gnu dot org
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: thoger at redhat dot com @ 2012-03-06 14:43 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13656
--- Comment #4 from Tomas Hoger <thoger at redhat dot com> 2012-03-06 14:42:32 UTC ---
(In reply to comment #3)
> Tomas, could you or Laszlo bring this up on libc-alpha, please?
This was posted in:
http://sourceware.org/ml/libc-alpha/2012-03/msg00101.html
Replies indicate it is preferred to limit nargs by available memory rather than
using an arbitrary limit, i.e. what Kees' patch was doing already.
Related commit links for posterity:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fa0355175d60ccf610c98f2345504603d3b8ea57
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
` (5 preceding siblings ...)
2012-03-06 14:43 ` thoger at redhat dot com
@ 2012-03-09 8:37 ` eggert at gnu dot org
2014-02-16 19:42 ` jackie.rosen at hushmail dot com
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: eggert at gnu dot org @ 2012-03-09 8:37 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13656
Paul Eggert <eggert at gnu dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |eggert at gnu dot org
Resolution| |FIXED
--- Comment #5 from Paul Eggert <eggert at gnu dot org> 2012-03-09 08:36:47 UTC ---
Fix committed:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e
so I am marking this bug as fixed.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
` (6 preceding siblings ...)
2012-03-09 8:37 ` eggert at gnu dot org
@ 2014-02-16 19:42 ` jackie.rosen at hushmail dot com
2014-05-28 19:41 ` schwab at sourceware dot org
2014-06-27 9:58 ` [Bug stdio/13656] vfprintf nargs integer overflow (CVE-2012-0864) fweimer at redhat dot com
9 siblings, 0 replies; 11+ messages in thread
From: jackie.rosen at hushmail dot com @ 2014-02-16 19:42 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13656
Jackie Rosen <jackie.rosen at hushmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jackie.rosen at hushmail dot com
--- Comment #6 from Jackie Rosen <jackie.rosen at hushmail dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
` (7 preceding siblings ...)
2014-02-16 19:42 ` jackie.rosen at hushmail dot com
@ 2014-05-28 19:41 ` schwab at sourceware dot org
2014-06-27 9:58 ` [Bug stdio/13656] vfprintf nargs integer overflow (CVE-2012-0864) fweimer at redhat dot com
9 siblings, 0 replies; 11+ messages in thread
From: schwab at sourceware dot org @ 2014-05-28 19:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13656
Andreas Schwab <schwab at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|jackie.rosen at hushmail dot com |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug stdio/13656] vfprintf nargs integer overflow (CVE-2012-0864)
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
` (8 preceding siblings ...)
2014-05-28 19:41 ` schwab at sourceware dot org
@ 2014-06-27 9:58 ` fweimer at redhat dot com
9 siblings, 0 replies; 11+ messages in thread
From: fweimer at redhat dot com @ 2014-06-27 9:58 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13656
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Summary|vfprintf nargs integer |vfprintf nargs integer
|overflow |overflow (CVE-2012-0864)
Alias| |CVE-2012-0864
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2014-06-27 9:58 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-02-02 20:52 [Bug libc/13656] New: vfprintf nargs integer overflow kees at outflux dot net
2012-02-05 13:02 ` [Bug libc/13656] " thoger at redhat dot com
2012-02-21 2:39 ` [Bug stdio/13656] " jsm28 at gcc dot gnu.org
2012-03-05 9:39 ` aj at suse dot de
2012-03-05 9:57 ` thoger at redhat dot com
2012-03-05 10:10 ` aj at suse dot de
2012-03-06 14:43 ` thoger at redhat dot com
2012-03-09 8:37 ` eggert at gnu dot org
2014-02-16 19:42 ` jackie.rosen at hushmail dot com
2014-05-28 19:41 ` schwab at sourceware dot org
2014-06-27 9:58 ` [Bug stdio/13656] vfprintf nargs integer overflow (CVE-2012-0864) fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).