Integer overflow when computing memory allocation sizes (similar to CVE-2012-4412) was reported [1] in glibc strxfrm() function. Attached strxfrm-int32.c should trigger this issue on a 32-bit systems. Additionally, it was discovered [1] that strxfrm() falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424). Attached strxfrm-alloca.c should trigger this issue. Upstream commit that fixes all issues: http://seclists.org/oss-sec/2015/q1/540 [1]: http://seclists.org/oss-sec/2015/q1/540
Created attachment 991416 [details] strxfrm-alloca.c
Created attachment 991417 [details] strxfrm-int32.c
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1192527]
Actual upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=0f9e585480ed One of the integer overflows (or a precursor to it) was introduced into strxfm in this commit: commit 450bf66ef223ad83e7032920652445817865770b Author: Ulrich Drepper <drepper> Date: Sat Dec 25 23:41:39 1999 +0000 … * string/strxfrm.c: Complete rewrite for new collate implementation. strxfrm is not widely used (although it is referenced by Firefox and PostgreSQL), use of strxfrm_l is even rarer.
CVE request via: http://openwall.com/lists/oss-security/2015/09/08/2
CVE assignment: http://seclists.org/oss-sec/2017/q1/437