From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-27681-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 4356 invoked by alias); 26 Feb 2015 23:10:50 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Received: (qmail 4329 invoked by uid 48); 26 Feb 2015 23:10:47 -0000
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/18043] New: buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
Date: Thu, 26 Feb 2015 23:10:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc flagtypes.name
Message-ID: <bug-18043-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-02/txt/msg00416.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

            Bug ID: 18043
           Summary: buffer-overflow (read past the end) in
                    wordexp/parse_dollars/parse_param
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com
             Flags: security+

#include <wordexp.h>
#include <string.h>
int main() {
  char *p = strdup("${");
  wordexp_t w;
  wordexp(p, &w, 0);
}

==15405== Invalid read of size 1
==15405==    at 0x4F1DE5C: parse_param (wordexp.c:1428)
==15405==    by 0x4F1DE5C: parse_dollars (wordexp.c:2102)
==15405==    by 0x4F1FFEB: wordexp (wordexp.c:2348)
==15405==    by 0x4005AA: main
==15405==  Address 0x51fb043 is 0 bytes after a block of size 3 alloc'd
==15405==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==15405==    by 0x4EBE839: strdup (strdup.c:42)
==15405==    by 0x40058E: main

This time it's unclear to me how bad this bug is because 
the man page explicitly says that 
"there must not be any unescaped newline or |, &, ;, <, >, (, ), {, }
characters"
OTOH, buffer overflow is still a bit too much. 

2.19 and fresh trunk are affected.
Same fuzzer, see https://sourceware.org/glibc/wiki/FuzzingLibc

-- 
You are receiving this mail because:
You are on the CC list for the bug.