This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>, Paul Pluzhnikov <ppluzhnikov at google dot com>, Paul Eggert <eggert at cs dot ucla dot edu>
- Cc: Andreas Schwab <schwab at suse dot de>, Rich Felker <dalias at libc dot org>, libc-alpha at sourceware dot org
- Date: Fri, 06 Feb 2015 09:45:41 -0500
- Subject: Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
- Authentication-results: sourceware.org; auth=none
- References: <CALoOobPgvuBLTk4GzOchr792MHNi1yLgsO5Jqf8MPvY+bk544Q at mail dot gmail dot com> <20150202050906 dot GF23507 at brightrain dot aerifal dot cx> <CALoOobP5yEqB-oKUvPVJm0znonYJ_iM1q_uFBNT2sRojBguJ-A at mail dot gmail dot com> <mvmiofkiqaj dot fsf at hawking dot suse dot de> <CALoOobPyDepfTFp=_y50iKHxAhKV8W+ZkUiV6e-2O=kgpT_08g at mail dot gmail dot com> <54CFCEB1 dot 8090301 at cs dot ucla dot edu> <CALoOobOqBGEp=Jv-sncnUzi6BVzypg9txr-Oh2OTQL7BFbuwSw at mail dot gmail dot com> <54D45696 dot 2020801 at redhat dot com> <54D4C560 dot 8040401 at redhat dot com>
On 02/06/2015 08:45 AM, Florian Weimer wrote:
> On 02/06/2015 06:52 AM, Carlos O'Donell wrote:
>> On 02/02/2015 02:52 PM, Paul Pluzhnikov wrote:
>>> On Mon, Feb 2, 2015 at 11:23 AM, Paul Eggert <eggert@cs.ucla.edu> wrote:
>>>
>>>> So, how about the attached (untested) patch to vfscanf.c instead? It's
>>>> simpler. It does rely on realloc (wp, SIZE_MAX) returning NULL, but that's
>>>> safe in glibc.
>>>
>>> I like it. Re-tested.
>>>
>>> Combined patch attached.
>>>
>>> Thanks,
>>>
>>
>> Committed for 2.21.
>>
>> commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06
>> Author: Paul Pluzhnikov <ppluzhnikov@google.com>
>> Date: Fri Feb 6 00:30:42 2015 -0500
>>
>> CVE-2015-1472: wscanf allocates too little memory
>>
>> BZ #16618
>>
>> Under certain conditions wscanf can allocate too little memory for the
>> to-be-scanned arguments and overflow the allocated buffer. The
>> implementation now correctly computes the required buffer size when
>> using malloc.
>>
>> A regression test was added to tst-sscanf.
>
> I think this fixes as CVE-2015-1473 as well, which was assigned for the
> inconsistent use of __libc_use_alloca (even though no application impact
> had been demonstrated).
>
Could you confirm that please? I've still got a laundry list of release
announcements to make for 2.21. Then we'll adjust the NEWS and bugzilla
accordingly on release/2.21/master and master.
Cheers,
Carlos.