This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [patch] Fix for heap overflow in wscanf (BZ 16618)


On 02/06/2015 06:52 AM, Carlos O'Donell wrote:
> On 02/02/2015 02:52 PM, Paul Pluzhnikov wrote:
>> On Mon, Feb 2, 2015 at 11:23 AM, Paul Eggert <eggert@cs.ucla.edu> wrote:
>>
>>> So, how about the attached (untested) patch to vfscanf.c instead? It's
>>> simpler.  It does rely on realloc (wp, SIZE_MAX) returning NULL, but that's
>>> safe in glibc.
>>
>> I like it. Re-tested.
>>
>> Combined patch attached.
>>
>> Thanks,
>>
> 
> Committed for 2.21.
> 
> commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06
> Author: Paul Pluzhnikov <ppluzhnikov@google.com>
> Date:   Fri Feb 6 00:30:42 2015 -0500
> 
>     CVE-2015-1472: wscanf allocates too little memory
>     
>     BZ #16618
>     
>     Under certain conditions wscanf can allocate too little memory for the
>     to-be-scanned arguments and overflow the allocated buffer.  The
>     implementation now correctly computes the required buffer size when
>     using malloc.
>     
>     A regression test was added to tst-sscanf.

I think this fixes as CVE-2015-1473 as well, which was assigned for the
inconsistent use of __libc_use_alloca (even though no application impact
had been demonstrated).

-- 
Florian Weimer / Red Hat Product Security


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]