2273404 – (CVE-2024-2961) CVE-2024-2961 glibc: Out of bounds write in iconv may lead to remote code execution

Bug 2273404 (CVE-2024-2961) - CVE-2024-2961 glibc: Out of bounds write in iconv may lead to remote code execution [NEEDINFO]

Summary: CVE-2024-2961 glibc: Out of bounds write in iconv may lead to remote code exe...

Keywords:
Status:	NEW
Alias:	CVE-2024-2961
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2275855 2275933
Blocks:	2273407
TreeView+	depends on / blocked

Reported:	2024-04-04 15:43 UTC by Marco Benatto
Modified:	2024-04-25 21:51 UTC (History)
CC List:	49 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. When converting from UCS4 charset, adding certain escape charterers is required to indicate where the charset was changed to the library. During this process, iconv improperly checks the boundaries of internal buffers, leading to a buffer overflow, which allows writing up to 3 bytes outside the desired memory location. This issue may allow an attacker to craft a malicious characters sequence that will trigger the out-of-bounds write and perform remote code execution, presenting a high impact to the Integrity, Confidentiality, and Availability triad.
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	mbenatto: needinfo? (kyoshida)

Attachments	(Terms of Use)

Description Marco Benatto 2024-04-04 15:43:00 UTC

The iconv plugin ISO-2022-CN-EXT, when converting from UCS4, might trigger a OOB write. The encoding requires to add escape sequence to indicate where
it changes the character set (as described by RFC 1922) and while the bounds check is done by the SOdesignation designation, it is missing for SS2designation and SS3designation. This leads to an overflow of 1, 2, or 3 bytes with  fixed values: `$+I`, `$+J`, `$+K`, `$+L`, `$+M`, or , `$*H`.

Comment 4 Sandipan Roy 2024-04-18 04:26:52 UTC

Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 2275855]

Comment 5 Sandipan Roy 2024-04-18 14:13:15 UTC

Created glibc tracking bugs for this issue:

Affects: fedora-rawhide [bug 2275933]

Note You need to log in before you can comment on or make changes to this bug.

aarif
agarcial
aoconnor
aprice
asegurap
ashankar
bdettelb
caswilli
codonell
dbodnarc
dfreiber
dhalasz
dkuc
drow
fjansen
fweimer
ggastald
hkataria
jburrell
jbuscemi
jmitchel
jsamir
jsherril
jtanner
kaycoth
kholdawa
kshier
kyoshida
luizcosta
mcoufal
mpierce
nweather
oezr
orabin
psegedy
ricardo.barberis
sbiarozk
security-response-team
sidakwo
sipoyare
skolosov
stcannon
sthirugn
vkrizan
vkumar
vmugicag
xiaoxwan
yguenane
zzhou