[Bug 1048203] Re: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow
** Changed in: fedora Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203] Re: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow
Launchpad has imported 7 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=855385. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2012-09-07T14:59:00+00:00 Jan wrote: An integer overflow, leading to buffer overflow flaw was found in the way the implementation of strcoll() routine, used to compare two strings based on the current locale, of glibc, the GNU libc libraries, performed calculation of memory requirements / allocation, needed for storage of the strings. If an application linked against glibc was missing an application-level sanity checks for validity of strcoll() arguments and accepted untrusted input, an attacker could use this flaw to cause the particular application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Upstream bug report (including reproducer): [1] http://sourceware.org/bugzilla/show_bug.cgi?id=14547 Reply at: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1048203/comments/3 On 2012-09-07T15:31:44+00:00 Jan wrote: CVE request: [2] http://www.openwall.com/lists/oss-security/2012/09/07/9 Reply at: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1048203/comments/4 On 2012-09-07T15:32:49+00:00 Jan wrote: This issue affects the versions of the glibc package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the glibc package, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch available). Reply at: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1048203/comments/5 On 2012-09-07T15:34:15+00:00 Jan wrote: Created glibc tracking bugs for this issue Affects: fedora-all [bug 855399] Reply at: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1048203/comments/6 On 2012-09-07T17:29:07+00:00 Jan wrote: The CVE identifier of CVE-2012-4412 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/09/07/12 Reply at: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1048203/comments/7 On 2013-08-22T00:49:36+00:00 Fedora wrote: glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1048203/comments/14 On 2013-09-05T09:05:48+00:00 Huzaifa wrote: Statement: This issue affects the version of glibc as shipped with Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw. Reply at: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1048203/comments/15 ** Changed in: fedora Status: Unknown => Confirmed ** Changed in: fedora Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203]
This issue was resolved and addressed in GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203] Re: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow
** Changed in: gentoo Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203]
Maintainer(s), please drop the vulnerable version(s). Added to an existing GLSA Request. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203]
*** Bug 260998 has been marked as a duplicate of this bug. *** Seen from the domain http://volichat.com Page where seen: http://volichat.com/adult-chat-rooms Marked for reference. Resolved as fixed @bugzilla. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203] Re: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow
** Changed in: eglibc (Debian) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203]
(In reply to mancha from comment #8) Hello. I applied Siddhesh's three patches (2 CVE fixes + strcoll refactoring) and the PoCs no longer trigger overflows. What is a reasonable runtime to expect on those PoCs post-patch? I ask because last night I left Joseph's code running on a ~2.3GHz Intel and it was still going this morning [was in seq_next_seq_nocache()]. Thanks! get_next_seq_nocache() that is. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203]
(In reply to Siddhesh Poyarekar from comment #10) It should finish a few minutes before forever :) The *_nocache code is O(n^3) (IIRC), so it's very very slow. Hi. Thanks for your quick reply. With that kind of complexity I'll adopt your heuristic: if no failure in 5 minutes, assume success. If you want to do a correctness test then I'd suggest commenting out the get_next_seq_cached paths so that get_next_seq_nocache is called all the time and then run your usual strcoll correctness tests. Thanks for the suggestion, I'll force get_next_seq_nocache and run my strcoll faithfulness tests. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203]
Hello. I applied Siddhesh's three patches (2 CVE fixes + strcoll refactoring) and the PoCs no longer trigger overflows. What is a reasonable runtime to expect on those PoCs post-patch? I ask because last night I left Joseph's code running on a ~2.3GHz Intel and it was still going this morning [was in seq_next_seq_nocache()]. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203]
(In reply to mancha from comment #8) Hello. I applied Siddhesh's three patches (2 CVE fixes + strcoll refactoring) and the PoCs no longer trigger overflows. What is a reasonable runtime to expect on those PoCs post-patch? It should finish a few minutes before forever :) The *_nocache code is O(n^3) (IIRC), so it's very very slow. If it has to crash due to a buffer or stack overflow, it ought to be gone in a few minutes based on some arbitrary tests I did by introducing buffer overflows and accesses beyond bounds in the code. I've added an xtest (i.e. an optional test, which you can run using `make xcheck`) that does exactly this - run the reproducer and signal a success if the program doesn't crash in about five minutes. If you want to do a correctness test then I'd suggest commenting out the get_next_seq_cached paths so that get_next_seq_nocache is called all the time and then run your usual strcoll correctness tests. Maybe we could add some internal test hooks that allow us to do this seamlessly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048203] Re: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048203 Title: (CVE-2012-4412) glibc: strcoll() integer overflow leading to buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/glibc/+bug/1048203/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
