Heap buffer overflow was reported [1] in glibc stdio-common/vfscanf.c. stdio-common/vfscanf.c has an ADDW macro that tries to determine whether to use malloc or alloca for allocations. But in the malloc case, it only allocates newsize bytes instead of the required newsize * sizeof (CHAR_T). Thus the allocated buffer gets overrun in the wide-string case, as shown in the following testcase: int main (void) { wchar_t *s = malloc ((SIZE + 1) * sizeof (*s)); if (s == NULL) abort (); for (size_t i = 0; i < SIZE; i++) s[i] = L'0'; s[SIZE] = L'\0'; int i; if (swscanf (s, L"%d", &i) != 1) abort (); if (i != 0) abort (); free (s); return 0; } CVE request: http://www.openwall.com/lists/oss-security/2015/02/01/8 [1]: https://sourceware.org/bugzilla/show_bug.cgi?id=16618
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1188237]
Now fixed in upstream. commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 Author: Paul Pluzhnikov <ppluzhnikov> Date: Fri Feb 6 00:30:42 2015 -0500 CVE-2015-1472: wscanf allocates too little memory BZ #16618 Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer. The implementation now correctly computes the required buffer size when using malloc. A regression test was added to tst-sscanf.
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06
glibc-2.20-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Statement: This issue did not affect the versions of glibc as shipped with Red Hat Enterprise Linux 5 and 6 as they did use different memory allocation algorithm in swscanf() function.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2199 https://rhn.redhat.com/errata/RHSA-2015-2199.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.1 EUS - Server and Compute Node Only Red Hat Enterprise Linux 7.1 EUS - Server and Compute Node Only Via RHSA-2015:2589 https://rhn.redhat.com/errata/RHSA-2015-2589.html