From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/723 Path: news.gmane.org!not-for-mail From: Kurt Seifried Newsgroups: gmane.comp.security.oss.general,gmane.linux.lib.musl.general Subject: Re: Stack-based buffer overflow in musl libc 0.8.7 and earlier Date: Wed, 18 Apr 2012 11:06:42 -0600 Message-ID: <4F8EF4A2.1030901@redhat.com> References: <20120418063258.GA32320@brightrain.aerifal.cx> Reply-To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Trace: dough.gmane.org 1334768847 23404 80.91.229.3 (18 Apr 2012 17:07:27 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Wed, 18 Apr 2012 17:07:27 +0000 (UTC) Cc: Rich Felker , musl-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org Original-X-From: oss-security-return-7455-gcsos-oss-security=m.gmane.org-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org Wed Apr 18 19:07:21 2012 Return-path: Envelope-to: gcsos-oss-security-wOFGN7rlS/M9smdsby/KFg@public.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1SKYLe-0004XE-5b for gcsos-oss-security-wOFGN7rlS/M9smdsby/KFg@public.gmane.org; Wed, 18 Apr 2012 19:07:18 +0200 Original-Received: (qmail 3630 invoked by uid 550); 18 Apr 2012 17:06:59 -0000 Mailing-List: contact oss-security-help-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 3597 invoked from network); 18 Apr 2012 17:06:58 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120329 Thunderbird/11.0.1 In-Reply-To: <20120418063258.GA32320-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org> X-Enigmail-Version: 1.4 OpenPGP: id=5E267993 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 Xref: news.gmane.org gmane.comp.security.oss.general:7457 gmane.linux.lib.musl.general:723 Archived-At: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/18/2012 12:32 AM, Rich Felker wrote: > Name: Stack-based buffer overflow in musl libc 0.8.7 and earlier > Software: musl 0.8.7 and earlier Software link: > http://www.etalabs.net/musl Vulnerability Type: Buffer overflow > Severity: Critical > > Software Description: > > musl is an implementation of the C/POSIX standard library for > Linux-based systems. musl aims to be lightweight, fast, simple, > free, and correct in the sense of standards-conformance and safety, > and to meet requirements ranging from embedded systems and initrd > images to desktop workstations, mobile devices, and high-load > servers. Several build-from-source mini-distributions use musl as > their C library. > > Vulnerability Details: > > musl's implementation of [v]fprintf swaps in a temporary FILE > buffer on the stack when writing to unbuffered streams such as > stderr. Under certain conditions where the buffer end pointer has > already been set to the address of the internal degenerate buffer > prior to the call to [v]fprintf, stdio internals can fail to bound > access to the temporary buffer. Large writes will then overflow the > temporary buffer and clobber stack contents, including potentially > the return address. Any program linked to musl which includes > potentially-large data from untrusted sources in its output to > stderr or other unbuffered streams is affected. > > Solution: > > The vulnerability has been fixed in git, and the fix is to be > included in the upcoming 0.8.8 release. A patch which applies > cleanly to all recent releases is available on the musl mailing > list: > > http://www.openwall.com/lists/musl/2012/04/17/1 > > Credits: > > This vulnerability was discovered and fixed by the author (myself, > Rich Felker) while debugging a crash occurring in test code > written for musl by Luka Marčetić as part of GSoC 2011. Please use CVE-2012-2114 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjvSiAAoJEBYNRVNeJnmTzoEP/2S9w9zMzK7ILiSklpqgOqg3 SRA3UfRYYeGrpRzCfVE/Sa/u4Jg/Cjh4a5qIFOu/wgcOrOWuAjiW4eybR9zlSlyt TBrLiKN+e197ADrRX8JWJjY3LrgASlmlYZWiUkqCrNcO9QeDg2fWvFFY7HOXnbD+ tpdgTIMakAeON7HIQRvykUzxNYQhsiCZvosE4Bu6y1de7xavsqEW+FwV7OL/BjTN cSZKkp6A9M+hRRuaq07lSmOnYs5QTlb3PG8ObAo7dFWJzQLniAmKE4JIrtp7L93r eii0e6SB3uINb4RL3Q/aDEmjNzx1mRtNexUWqjPtftTZ/0mzOADMeOHcJvfio9B6 fF3eKhBmPT0BhZUx/kI3Hc6hjo0MHZQw10p2iwpThkHzpFaMxVsts0CwnoI/r+Na jwnetYl04GvJnrwVzN+Ag4x+CeOhF/jw3zECHsJ4kJ1abacJFKXBJPgxFcAvqxiY U8oDX5hneNlM5hSXNEd0fVzINVgt1mamCwu/6nEsxBp6ydIua9PBZ+ZxdnRo2U/w ZdIQKMIc27dPjlCz0D8DgSsUx1dZvVRBTsLOGlSEFuATnvoUGK4vbzdlhtnoXEQ4 QAKXQumNpj4J9wYlHirWArrs2g9sF5Aub7d2fGwMnG00b95Wpt+8/qmsrJxzti/5 L8f0eePww7O8bW2Sz7Xx =Zkg2 -----END PGP SIGNATURE-----