public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field
@ 2023-02-02 1:16 vincent-srcware at vinc17 dot net
2023-02-02 1:17 ` [Bug stdio/30068] " vincent-srcware at vinc17 dot net
` (14 more replies)
0 siblings, 15 replies; 16+ messages in thread
From: vincent-srcware at vinc17 dot net @ 2023-02-02 1:16 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Bug ID: 30068
Summary: incorrect printf output for integers with thousands
separator and width field
Product: glibc
Version: 2.37
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: stdio
Assignee: unassigned at sourceware dot org
Reporter: vincent-srcware at vinc17 dot net
Target Milestone: ---
Consider the following C program:
#include <stdio.h>
#include <locale.h>
int main (void)
{
if (setlocale (LC_ALL, ""))
{
printf ("1234567890123:\n");
printf ("%0+ -'13ld:\n", 1234567L);
}
return 0;
}
and try it with a locale that has a thousands separator, such as
"LC_ALL=en_US.utf8".
With glibc up to 2.36, I get as expected:
1234567890123:
+1,234,567 :
But I got a report from Klaus Dittrich (following his bug reports against GNU
MPFR at https://sympa.inria.fr/sympa/arc/mpfr/2023-01/msg00001.html and
https://sympa.inria.fr/sympa/arc/mpfr/2023-01/msg00017.html) that with glibc
git on 2023-01-17, one gets:
1234567890123:
+1,234,567 :
i.e. padding is done to width 15 instead of 13.
I've got another report that the MPFR test also fails with glibc 2.37, which is
probably the above issue.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
@ 2023-02-02 1:17 ` vincent-srcware at vinc17 dot net
2023-02-02 2:25 ` vincent-srcware at vinc17 dot net
` (13 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: vincent-srcware at vinc17 dot net @ 2023-02-02 1:17 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
--- Comment #1 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
BTW, see also bug 23432 for other issues related to the thousands separator
(but no regression like here).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
2023-02-02 1:17 ` [Bug stdio/30068] " vincent-srcware at vinc17 dot net
@ 2023-02-02 2:25 ` vincent-srcware at vinc17 dot net
2023-02-02 7:51 ` freswa at archlinux dot org
` (12 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: vincent-srcware at vinc17 dot net @ 2023-02-02 2:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Vincent Lefèvre <vincent-srcware at vinc17 dot net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |critical
--- Comment #2 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
I suppose that the same bug occurs with sprintf(), in which case it can yield a
buffer overflow since additional characters are output. So I'm raising the
importance.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
2023-02-02 1:17 ` [Bug stdio/30068] " vincent-srcware at vinc17 dot net
2023-02-02 2:25 ` vincent-srcware at vinc17 dot net
@ 2023-02-02 7:51 ` freswa at archlinux dot org
2023-02-02 8:54 ` vincent-srcware at vinc17 dot net
` (11 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: freswa at archlinux dot org @ 2023-02-02 7:51 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
freswa <freswa at archlinux dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |freswa at archlinux dot org
--- Comment #3 from freswa <freswa at archlinux dot org> ---
I can confirm that mpfr (latest release + master) sprintf tests fail with glibc
2.37.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (2 preceding siblings ...)
2023-02-02 7:51 ` freswa at archlinux dot org
@ 2023-02-02 8:54 ` vincent-srcware at vinc17 dot net
2023-02-02 11:25 ` xry111 at xry111 dot site
` (10 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: vincent-srcware at vinc17 dot net @ 2023-02-02 8:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
--- Comment #4 from Vincent Lefèvre <vincent-srcware at vinc17 dot net> ---
I suspect that the padding amount is computed ignoring the thousands
separators, so that the increasing of the width would be equal to the total
length of the thousands separator.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (3 preceding siblings ...)
2023-02-02 8:54 ` vincent-srcware at vinc17 dot net
@ 2023-02-02 11:25 ` xry111 at xry111 dot site
2023-02-02 12:40 ` xry111 at xry111 dot site
` (9 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: xry111 at xry111 dot site @ 2023-02-02 11:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Xi Ruoyao <xry111 at xry111 dot site> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |xry111 at xry111 dot site
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (4 preceding siblings ...)
2023-02-02 11:25 ` xry111 at xry111 dot site
@ 2023-02-02 12:40 ` xry111 at xry111 dot site
2023-02-02 14:27 ` carlos at redhat dot com
` (8 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: xry111 at xry111 dot site @ 2023-02-02 12:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
--- Comment #5 from Xi Ruoyao <xry111 at xry111 dot site> ---
The patch for #23432
(https://sourceware.org/pipermail/libc-alpha/2023-January/144847.html) fixes
the testcase.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (5 preceding siblings ...)
2023-02-02 12:40 ` xry111 at xry111 dot site
@ 2023-02-02 14:27 ` carlos at redhat dot com
2023-02-02 14:27 ` carlos at redhat dot com
` (7 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: carlos at redhat dot com @ 2023-02-02 14:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security+
CC| |carlos at redhat dot com
--- Comment #6 from Carlos O'Donell <carlos at redhat dot com> ---
Thanks for reporting this. Yes, this is a regression where after the refactor
the implementation does not account for grouping characters during padding of
the width.
We'll work to get this fixed on the release branch so the distributions can
pickup the fix directly.
I'm marking this security plus since the width could be unexpected if you used
a number of other APIs to pre-compute an expected with e.g. nl_langinfo, and
digit counting.
I've asked Andreas if he's working on a v2, because the test case needs a
dependency on the test locale generation:
https://sourceware.org/pipermail/libc-alpha/2023-February/145204.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (6 preceding siblings ...)
2023-02-02 14:27 ` carlos at redhat dot com
@ 2023-02-02 14:27 ` carlos at redhat dot com
2023-02-02 16:41 ` sam at gentoo dot org
` (6 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: carlos at redhat dot com @ 2023-02-02 14:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2023-02-02
Ever confirmed|0 |1
Status|UNCONFIRMED |NEW
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (7 preceding siblings ...)
2023-02-02 14:27 ` carlos at redhat dot com
@ 2023-02-02 16:41 ` sam at gentoo dot org
2023-02-02 22:17 ` siddhesh at sourceware dot org
` (5 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: sam at gentoo dot org @ 2023-02-02 16:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Sam James <sam at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at gentoo dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (8 preceding siblings ...)
2023-02-02 16:41 ` sam at gentoo dot org
@ 2023-02-02 22:17 ` siddhesh at sourceware dot org
2023-02-02 22:19 ` siddhesh at sourceware dot org
` (4 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: siddhesh at sourceware dot org @ 2023-02-02 22:17 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |siddhesh at sourceware dot org
--- Comment #7 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Confirmed that this could potentially cause a buffer overflow with sprintf,
something like below. This will occur in the corner case where an application
computes the size of buffer to be exactly enough to fit the digits in question,
but sprintf ends up writing a couple of extra bytes, hence going beyond bounds.
#include <stdio.h>
#include <locale.h>
#include <string.h>
int main (void)
{
char buf[strlen ("1234567890123:") + 1];
__builtin_memset (buf, 'x', sizeof (buf));
if (setlocale (LC_ALL, ""))
{
printf ("1234567890123:\n");
printf ("%0+ -'13ld:\n", 1234567L);
sprintf (buf, "%0+ -'13ld:", 1234567L);
for (size_t i = 0; i < strlen ("1234567890123:") + 1; i++)
{
printf ("%c", buf[i]);
}
printf ("\n");
}
return 0;
}
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (9 preceding siblings ...)
2023-02-02 22:17 ` siddhesh at sourceware dot org
@ 2023-02-02 22:19 ` siddhesh at sourceware dot org
2023-02-03 11:56 ` [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field (CVE-2023-25139) siddhesh at sourceware dot org
` (3 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: siddhesh at sourceware dot org @ 2023-02-02 22:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
--- Comment #8 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Oops, hit send too soon. To finish, building with _FORTIFY_SOURCE should catch
this problem immediately:
e.g., build the above program with:
$ gcc -D_FORTIFY_SOURCE=1 -O -o sprintf-test sprintf-test.c
and run:
$ LOCPATH=$PWD/localedata LC_ALL=en_US.UTF-8 ./elf/ld-linux-x86-64.so.2
--library-path
.:./math:./elf:./dlfcn:./nss:./nis:./rt:./resolv:./mathvec:./support:./crypt:./nptl
../sprintf-test
1234567890123:
+1,234,567 :
*** buffer overflow detected ***: terminated
Aborted (core dumped)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field (CVE-2023-25139)
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (10 preceding siblings ...)
2023-02-02 22:19 ` siddhesh at sourceware dot org
@ 2023-02-03 11:56 ` siddhesh at sourceware dot org
2023-02-06 15:24 ` carlos at redhat dot com
` (2 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: siddhesh at sourceware dot org @ 2023-02-03 11:56 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2023-25139
Summary|incorrect printf output for |incorrect printf output for
|integers with thousands |integers with thousands
|separator and width field |separator and width field
| |(CVE-2023-25139)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field (CVE-2023-25139)
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (11 preceding siblings ...)
2023-02-03 11:56 ` [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field (CVE-2023-25139) siddhesh at sourceware dot org
@ 2023-02-06 15:24 ` carlos at redhat dot com
2023-02-06 18:03 ` carlos at redhat dot com
2023-02-08 1:32 ` carlos at redhat dot com
14 siblings, 0 replies; 16+ messages in thread
From: carlos at redhat dot com @ 2023-02-06 15:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
--- Comment #9 from Carlos O'Donell <carlos at redhat dot com> ---
This is now fixed in master for glibc 2.38.
I'm working to add a NEWS entry and then backport to release/2.37/master.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field (CVE-2023-25139)
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (12 preceding siblings ...)
2023-02-06 15:24 ` carlos at redhat dot com
@ 2023-02-06 18:03 ` carlos at redhat dot com
2023-02-08 1:32 ` carlos at redhat dot com
14 siblings, 0 replies; 16+ messages in thread
From: carlos at redhat dot com @ 2023-02-06 18:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |glibc_2.37
Status|NEW |RESOLVED
Target Milestone|--- |2.38
Resolution|--- |FIXED
--- Comment #10 from Carlos O'Donell <carlos at redhat dot com> ---
Fixed by c980549cc6a1c03c23cc2fe3e7b0fe626a0364b0 for glibc 2.38.
Marking as required for 2.37.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field (CVE-2023-25139)
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
` (13 preceding siblings ...)
2023-02-06 18:03 ` carlos at redhat dot com
@ 2023-02-08 1:32 ` carlos at redhat dot com
14 siblings, 0 replies; 16+ messages in thread
From: carlos at redhat dot com @ 2023-02-08 1:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|glibc_2.37 |
--- Comment #11 from Carlos O'Donell <carlos at redhat dot com> ---
Fixed in release/2.37/master with:
commit 07b9521fc6369d000216b96562ff7c0ed32a16c4
Author: Carlos O'Donell <carlos@redhat.com>
Date: Thu Jan 19 12:50:20 2023 +0100
Account for grouping in printf width (bug 30068)
This is a partial fix for mishandling of grouping when formatting
integers. It properly computes the width in the presence of grouping
characters when the width is larger than the number of significant
digits. The precision related issue is documented in bug 23432.
Co-authored-by: Andreas Schwab <schwab@suse.de>
(cherry picked from commit c980549cc6a1c03c23cc2fe3e7b0fe626a0364b0)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2023-02-08 1:32 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-02 1:16 [Bug stdio/30068] New: incorrect printf output for integers with thousands separator and width field vincent-srcware at vinc17 dot net
2023-02-02 1:17 ` [Bug stdio/30068] " vincent-srcware at vinc17 dot net
2023-02-02 2:25 ` vincent-srcware at vinc17 dot net
2023-02-02 7:51 ` freswa at archlinux dot org
2023-02-02 8:54 ` vincent-srcware at vinc17 dot net
2023-02-02 11:25 ` xry111 at xry111 dot site
2023-02-02 12:40 ` xry111 at xry111 dot site
2023-02-02 14:27 ` carlos at redhat dot com
2023-02-02 14:27 ` carlos at redhat dot com
2023-02-02 16:41 ` sam at gentoo dot org
2023-02-02 22:17 ` siddhesh at sourceware dot org
2023-02-02 22:19 ` siddhesh at sourceware dot org
2023-02-03 11:56 ` [Bug stdio/30068] incorrect printf output for integers with thousands separator and width field (CVE-2023-25139) siddhesh at sourceware dot org
2023-02-06 15:24 ` carlos at redhat dot com
2023-02-06 18:03 ` carlos at redhat dot com
2023-02-08 1:32 ` carlos at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).