Your message dated Mon, 7 Mar 2016 18:46:58 +0100
with message-id <[email protected]>
and subject line Re: Bug#772705: libc6: buffer overflow in tzset
has caused the Debian Bug report #772705,
regarding libc6: buffer overflow in tzset
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libc6
Version: 2.19-13
The attached crafted timezone file makes tzset(3) crash:
$ TZ=$PWD/crashtz date
*** Error in `date': free(): invalid next size (fast): 0x0916b160 ***
Aborted
Valgrind says:
==7754== Invalid write of size 1
==7754== at 0x40F7D7D: __tzfile_read (tzfile.c:379)
==7754== by 0x40F71D1: tzset_internal (tzset.c:447)
==7754== by 0x40F749E: __tz_convert (tzset.c:632)
==7754== by 0x40F5BDC: localtime (localtime.c:42)
==7754== by 0x8049B94: ??? (in /bin/date)
==7754== by 0x8049885: ??? (in /bin/date)
==7754== by 0x4069A62: (below main) (libc-start.c:287)
==7754== Address 0x41fe816 is 6 bytes after a block of size 0 alloc'd
==7754== at 0x40291CC: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7754== by 0x40F79A1: __tzfile_read (tzfile.c:278)
==7754== by 0x40F71D1: tzset_internal (tzset.c:447)
==7754== by 0x40F749E: __tz_convert (tzset.c:632)
==7754== by 0x40F5BDC: localtime (localtime.c:42)
==7754== by 0x8049B94: ??? (in /bin/date)
==7754== by 0x8049885: ??? (in /bin/date)
==7754== by 0x4069A62: (below main) (libc-start.c:287)
==7754==
==7754== Invalid write of size 1
==7754== at 0x40F7DDD: __tzfile_read (tzfile.c:389)
==7754== by 0x40F71D1: tzset_internal (tzset.c:447)
==7754== by 0x40F749E: __tz_convert (tzset.c:632)
==7754== by 0x40F5BDC: localtime (localtime.c:42)
==7754== by 0x8049B94: ??? (in /bin/date)
==7754== by 0x8049885: ??? (in /bin/date)
==7754== by 0x4069A62: (below main) (libc-start.c:287)
==7754== Address 0x41fe817 is 7 bytes after a block of size 0 alloc'd
==7754== at 0x40291CC: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7754== by 0x40F79A1: __tzfile_read (tzfile.c:278)
==7754== by 0x40F71D1: tzset_internal (tzset.c:447)
==7754== by 0x40F749E: __tz_convert (tzset.c:632)
==7754== by 0x40F5BDC: localtime (localtime.c:42)
==7754== by 0x8049B94: ??? (in /bin/date)
==7754== by 0x8049885: ??? (in /bin/date)
==7754== by 0x4069A62: (below main) (libc-start.c:287)
This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libc6:i386 depends on:
ii libgcc1 1:4.9.2-6
Versions of packages libc6:i386 recommends:
ii libc6-i686 2.19-13
--
Jakub Wilk
crashtz
Description: Binary data
--- End Message ---
--- Begin Message ---
Version: 2.22-1
On 2015-04-24 20:54, Salvatore Bonaccorso wrote:
> Hi
>
> This should be addressed with the followign commit:
>
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42261ad731
>
> See: http://www.openwall.com/lists/oss-security/2015/04/24/3
This commit is part of glibc 2.22, which is now in sid. I am therefore
closing the bug with this version.
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
[email protected] http://www.aurel32.net
--- End Message ---
