This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18043] New: buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 26 Feb 2015 23:10:46 +0000
- Subject: [Bug libc/18043] New: buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18043
Bug ID: 18043
Summary: buffer-overflow (read past the end) in
wordexp/parse_dollars/parse_param
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
Flags: security+
#include <wordexp.h>
#include <string.h>
int main() {
char *p = strdup("${");
wordexp_t w;
wordexp(p, &w, 0);
}
==15405== Invalid read of size 1
==15405== at 0x4F1DE5C: parse_param (wordexp.c:1428)
==15405== by 0x4F1DE5C: parse_dollars (wordexp.c:2102)
==15405== by 0x4F1FFEB: wordexp (wordexp.c:2348)
==15405== by 0x4005AA: main
==15405== Address 0x51fb043 is 0 bytes after a block of size 3 alloc'd
==15405== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==15405== by 0x4EBE839: strdup (strdup.c:42)
==15405== by 0x40058E: main
This time it's unclear to me how bad this bug is because
the man page explicitly says that
"there must not be any unescaped newline or |, &, ;, <, >, (, ), {, }
characters"
OTOH, buffer overflow is still a bit too much.
2.19 and fresh trunk are affected.
Same fuzzer, see https://sourceware.org/glibc/wiki/FuzzingLibc
--
You are receiving this mail because:
You are on the CC list for the bug.