public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "siddhesh at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug libc/14547] strcoll integer / buffer overflow Date: Mon, 23 Sep 2013 06:00:00 -0000 [thread overview] Message-ID: <bug-14547-131-WiTiGXbzdb@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-14547-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=14547 Siddhesh Poyarekar <siddhesh at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |siddhesh at redhat dot com Resolution|--- |FIXED --- Comment #7 from Siddhesh Poyarekar <siddhesh at redhat dot com> --- Fixed in master: commit 303e567a8062200dc06acde7c76fc34679f08d8f Author: Siddhesh Poyarekar <siddhesh@redhat.com> Date: Mon Sep 23 11:24:30 2013 +0530 Check for integer overflow in cache size computation in strcoll strcoll is implemented using a cache for indices and weights of collation sequences in the strings so that subsequent passes do not have to search through collation data again. For very large string inputs, the cache size computation could overflow. In such a case, use the fallback function that does not cache indices and weights of collation sequences. Fixes CVE-2012-4412. commit 141f3a77fe4f1b59b0afa9bf6909cd2000448883 Author: Siddhesh Poyarekar <siddhesh@redhat.com> Date: Mon Sep 23 11:20:02 2013 +0530 Fall back to non-cached sequence traversal and comparison on malloc fail strcoll currently falls back to alloca if malloc fails, resulting in a possible stack overflow. This patch implements sequence traversal and comparison without caching indices and rules. Fixes CVE-2012-4424. -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2013-09-23 6:00 UTC|newest] Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top 2012-09-05 20:59 [Bug libc/14547] New: " jsm28 at gcc dot gnu.org 2012-09-05 21:13 ` [Bug libc/14547] " jsm28 at gcc dot gnu.org 2012-09-06 16:55 ` jsm28 at gcc dot gnu.org 2012-09-06 17:03 ` ppluzhnikov at google dot com 2012-09-08 3:38 ` bugdal at aerifal dot cx 2012-09-11 9:53 ` shaun.colley at ioactive dot com 2012-09-11 15:52 ` shaun.colley at ioactive dot com 2013-09-23 6:00 ` siddhesh at redhat dot com [this message] 2013-10-25 13:10 ` mancha1 at hush dot com 2013-10-25 13:17 ` mancha1 at hush dot com 2013-10-25 13:30 ` siddhesh at redhat dot com 2013-10-25 15:03 ` mancha1 at hush dot com 2014-02-16 19:41 ` jackie.rosen at hushmail dot com 2014-05-28 19:41 ` schwab at sourceware dot org 2014-06-13 10:47 ` fweimer at redhat dot com 2014-06-13 11:43 ` [Bug libc/14547] strcoll integer / buffer overflow (CVE-2012-4412, CVE-2012-4424) fweimer at redhat dot com 2015-02-24 11:36 ` fweimer at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-14547-131-WiTiGXbzdb@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).