The fix for bug 1012343:
It results in an unterminated string being passed as a mode to fopen which results in the potential use of uninitialized data.
@@ -40,10 +40,10 @@
__setmntent (const char *file, const char *mode)
/* Extend the mode parameter with "c" to disable cancellation in the
- I/O functions. */
+ I/O functions and "e" to set FD_CLOEXEC. */
size_t modelen = strlen (mode);
char newmode[modelen + 2];
- memcpy (mempcpy (newmode, mode, modelen), "c", 2);
+ memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
FILE *result = fopen (file, newmode);
if (result != NULL)
The newmode should be size modelen + 3 and the memcpy should copy 3 bytes.
An audit revealed that also needed are cancellation fixes for:
So we must fix those up also.
The fix for bug 952422 fixed the cancellation issue with getsysstats.c already.
Fist reported here: https://blogs.oracle.com/wim/entry/oracle_linux_6_update_9
(Via bug 1012343 comment 21.)
*** Bug 1437111 has been marked as a duplicate of this bug. ***
Fixes complete and undergoing internal review.
(In reply to Carlos O'Donell from comment #0)
> Contains a defect that results in a 1-byte buffer overflow.
This statement is incorrect. It results in an unterminated string being passed as a mode to fopen which results in the potential use of uninitialized data.
*** Bug 1394704 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.