Piotr: Could you please provide a reproducer, or a string/locale couple
that triggered th bug for you?

In my system, when n1 returned by strxfrm() was equal to n2, the string
was terminated with \0, only that it was truncated (so a subsequent
attempt to read it did not lead to an out-of-bound read). Though the
manual states that the behavior is undefined. I did not try it in
Debian, but I can't really imagine why would Debian's glibc behave
differently from Fedora's one.

Btw. I can't imagine a real-world situation where would this lead to an
information disclosure. The return value of strxfrm() is never meant to
be displayed to the user.

-- 
Lubomir Kundrak (Red Hat Security Response Team)



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to