Package: libc6 Version: 2.10.1-2 Severity: normal
sscanf(p,"%d",&i) caused a SIGSEGV raised if p points to a very long input string with just decimal characters in it. that makes "%d" unusable for scanning untrusted input. (in my case a sip registrar). here is a code example that shows it (use 2*1024*1024 and it works) # compile with e.g. gcc x.c -o x #include <stdio.h> #include <string.h> #include <stdlib.h> int main() { int n; char *p; #define NBUF (3*1024*1024) p=malloc(NBUF); if (p) { memset(p,'1',NBUF); p[NBUF-1]=0; printf("here we go...\n"); sscanf(p,"%d",&n); printf("n=%d\n",n); free(p); } return 0; } -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.30-2-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libc6 depends on: ii libc-bin 2.10.1-2 GNU C Library: Binaries ii libgcc1 1:4.4.2-1 GCC support library Versions of packages libc6 recommends: ii libc6-i686 2.10.1-2 GNU C Library: Shared libraries [i Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy ii glibc-doc 2.10.1-2 GNU C Library: Documentation ii locales 2.10.1-2 GNU C Library: National Language ( ii locales-all [locales] 2.10.1-2 GNU C Library: Precompiled locale -- debconf information: * glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: * glibc/restart-services: spamassassin samba rsync postfix openbsd-inetd cups cron atd -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org