Lubomir Kundrak <[EMAIL PROTECTED]> wrote:
Piotr: Could you please provide a reproducer, or a string/locale couple
that triggered th bug for you?
Ok, sorry for being so terse in the original report:
$ cat foo
#!/usr/bin/python
import locale
print locale.setlocale(locale.LC_COLLATE, 'pl_PL.UTF8')
print repr(locale.strxfrm('a'))
$ ./foo
pl_PL.UTF8
'\x0c\x01\x08\x01\x02\x01\x18\x08\x10'
$
Here, '\x0c\x01\x08\x01\x02\x01' comes from glibc's strxfrm(), and the
rest of the string is the contents of the memory immediately after the
destination buffer. (It is also possible to get identifiable parts of
the strings processed by the program before the strxfrm() call but I
don't have a reproducible test case for that.)
Btw. I can't imagine a real-world situation where would this lead to an
information disclosure. The return value of strxfrm() is never meant to
be displayed to the user.
Real-world case, and how I have found the bug in the first place: a
webapp that allows an user to upload some strings to the server, and
other users to view them and sort them in various ways. Since
Javascript doesn't have support for locale-aware string comparison,
each string carries a sorting key, which is the return value of
strxfrm(), and which is visible in the page source.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
