1 |
From a3a1f4163c4d0f9a36056c8640661a88674ae8a2 Mon Sep 17 00:00:00 2001 |
From a3a1f4163c4d0f9a36056c8640661a88674ae8a2 Mon Sep 17 00:00:00 2001 |
2 |
From: Jeff Law <law@redhat.com> |
From: Jeff Law <law@redhat.com> |
3 |
Date: Mon, 15 Dec 2014 10:09:07 +0100 |
Date: Mon, 15 Dec 2014 10:09:32 +0100 |
4 |
Subject: [PATCH] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617] |
Subject: [PATCH 13/18] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617] |
5 |
|
|
6 |
A larger number of format specifiers coudld cause a stack overflow, |
A larger number of format specifiers coudld cause a stack overflow, |
7 |
potentially allowing to bypass _FORTIFY_SOURCE format string |
potentially allowing to bypass _FORTIFY_SOURCE format string |
25 |
create mode 100644 stdio-common/bug23-3.c |
create mode 100644 stdio-common/bug23-3.c |
26 |
create mode 100644 stdio-common/bug23-4.c |
create mode 100644 stdio-common/bug23-4.c |
27 |
|
|
28 |
#diff --git a/ChangeLog b/ChangeLog |
diff --git a/ChangeLog b/ChangeLog |
29 |
#index ac7d980..88d2f1e 100644 |
index ac7d980..88d2f1e 100644 |
30 |
#--- a/ChangeLog |
--- a/ChangeLog |
31 |
#+++ b/ChangeLog |
+++ b/ChangeLog |
32 |
#@@ -1,3 +1,12 @@ |
@@ -1,3 +1,12 @@ |
33 |
#+2014-12-15 Jeff Law <law@redhat.com> |
+2014-12-15 Jeff Law <law@redhat.com> |
34 |
#+ |
+ |
35 |
#+ [BZ #16617] |
+ [BZ #16617] |
36 |
#+ * stdio-common/vfprintf.c (vfprintf): Allocate large specs array |
+ * stdio-common/vfprintf.c (vfprintf): Allocate large specs array |
37 |
#+ on the heap. (CVE-2012-3406) |
+ on the heap. (CVE-2012-3406) |
38 |
#+ * stdio-common/bug23-2.c, stdio-common/bug23-3.c: New file. |
+ * stdio-common/bug23-2.c, stdio-common/bug23-3.c: New file. |
39 |
#+ * stdio-common/bug23-4.c: New file. Test case by Joseph Myers. |
+ * stdio-common/bug23-4.c: New file. Test case by Joseph Myers. |
40 |
#+ * stdio-common/Makefile (tests): Add bug23-2, bug23-3, bug23-4. |
+ * stdio-common/Makefile (tests): Add bug23-2, bug23-3, bug23-4. |
41 |
#+ |
+ |
42 |
# 2014-11-24 Siddhesh Poyarekar <siddhesh@redhat.com> |
2014-11-24 Siddhesh Poyarekar <siddhesh@redhat.com> |
43 |
# |
|
44 |
# [BZ #17266] |
[BZ #17266] |
45 |
#diff --git a/NEWS b/NEWS |
diff --git a/NEWS b/NEWS |
46 |
#index 3de92cd..f6cdb66 100644 |
index 3de92cd..f6cdb66 100644 |
47 |
#--- a/NEWS |
--- a/NEWS |
48 |
#+++ b/NEWS |
+++ b/NEWS |
49 |
#@@ -9,7 +9,7 @@ Version 2.20.1 |
@@ -9,7 +9,7 @@ Version 2.20.1 |
50 |
# |
|
51 |
# * The following bugs are resolved with this release: |
* The following bugs are resolved with this release: |
52 |
# |
|
53 |
#- 17266, 17370, 17371, 17460, 17485, 17555, 17625. |
- 17266, 17370, 17371, 17460, 17485, 17555, 17625. |
54 |
#+ 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625. |
+ 16617, 17266, 17370, 17371, 17460, 17485, 17555, 17625. |
55 |
# |
|
56 |
# * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag |
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag |
57 |
# under certain input conditions resulting in the execution of a shell for |
under certain input conditions resulting in the execution of a shell for |
58 |
#@@ -17,6 +17,8 @@ Version 2.20.1 |
@@ -17,6 +17,8 @@ Version 2.20.1 |
59 |
# implementation now checks WRDE_NOCMD immediately before executing the |
implementation now checks WRDE_NOCMD immediately before executing the |
60 |
# shell and returns the error WRDE_CMDSUB as expected. |
shell and returns the error WRDE_CMDSUB as expected. |
61 |
# |
|
62 |
#+* CVE-2012-3406 printf-style functions could run into a stack overflow when |
+* CVE-2012-3406 printf-style functions could run into a stack overflow when |
63 |
#+ processing format strings with a large number of format specifiers.a |
+ processing format strings with a large number of format specifiers.a |
64 |
# |
|
65 |
# Version 2.20 |
Version 2.20 |
66 |
# |
|
67 |
diff --git a/stdio-common/Makefile b/stdio-common/Makefile |
diff --git a/stdio-common/Makefile b/stdio-common/Makefile |
68 |
index 5f8e534..e5e45b6 100644 |
index 5f8e534..e5e45b6 100644 |
69 |
--- a/stdio-common/Makefile |
--- a/stdio-common/Makefile |
324 |
free (args_malloced); |
free (args_malloced); |
325 |
if (__glibc_unlikely (workstart != NULL)) |
if (__glibc_unlikely (workstart != NULL)) |
326 |
-- |
-- |
327 |
1.8.4.5 |
2.3.0 |
328 |
|
|