Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
util-linux.3352
util-linux-colcrt-CVE-2015-5218-overflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File util-linux-colcrt-CVE-2015-5218-overflow.patch of Package util-linux.3352
From d883d64d96ab9bef510745d064a351145b9babec Mon Sep 17 00:00:00 2001 From: Sami Kerola <kerolasa@iki.fi> Date: Sun, 9 Aug 2015 18:16:34 +0100 Subject: [PATCH 1/2] colcrt: avoid writing beyond array bound [afl & asan] text-utils/colcrt.c:205:10: runtime error: index -1 out of bounds for type 'wchar_t [133]' SUMMARY: AddressSanitizer: undefined-behavior text-utils/colcrt.c:205 ================================================================= ==2357==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013811b0 at pc 0x0000004e2514 bp 0x7ffdf6ba4450 sp 0x7ffdf6ba4448 READ of size 4 at 0x0000013811b0 thread T0 #0 0x4e2513 in colcrt /home/src/util-linux/text-utils/colcrt.c:213:8 #1 0x4e17d4 in main /home/src/util-linux/text-utils/colcrt.c:139:3 #2 0x7fb77236960f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #3 0x4362c8 in _start (/home/src/util-linux/colcrt+0x4362c8) Reported-by: Alaa Mubaied <alaamubaied@gmail.com> Signed-off-by: Sami Kerola <kerolasa@iki.fi> --- text-utils/colcrt.c | 2 ++ 1 file changed, 2 insertions(+) From 70e3fcf293c1827a2655a86584ab13075124a8a8 Mon Sep 17 00:00:00 2001 From: Sami Kerola <kerolasa@iki.fi> Date: Sun, 9 Aug 2015 18:02:18 +0100 Subject: [PATCH 2/2] colcrt: allocate enough space for data moves [afl & asan] ==2807==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013a31f0 at pc 0x0000004e3047 bp 0x7fffcb7df8d0 sp 0x7fffcb7df8c8 READ of size 4 at 0x0000013a31f0 thread T0 #0 0x4e3046 in move /home/src/util-linux/text-utils/colcrt.c:309:13 #1 0x4e25b1 in pflush /home/src/util-linux/text-utils/colcrt.c:264:3 #2 0x4e246d in colcrt /home/src/util-linux/text-utils/colcrt.c:157:4 #3 0x4e17d4 in main /home/src/util-linux/text-utils/colcrt.c:141:3 #4 0x7fb0cb2ee60f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #5 0x4362c8 in _start (/home/src/util-linux/colcrt+0x4362c8) 0x0000013a31f0 is located 0 bytes to the right of global variable 'page' defined in 'text-utils/colcrt.c:73:9' (0x1380b40) of size 140976 SUMMARY: AddressSanitizer: global-buffer-overflow /home/src/util-linux/text-utils/colcrt.c:309 move And another crash: ==4578==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013a3d24 at pc 0x0000004e2510 bp 0x7ffc9257b0e0 sp 0x7ffc9257b0d8 READ of size 4 at 0x0000013a3d24 thread T0 #0 0x4e250f in colcrt /home/src/util-linux/text-utils/colcrt.c:218:8 #1 0x4e17d4 in main /home/src/util-linux/text-utils/colcrt.c:141:3 #2 0x7fe0ac94160f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #3 0x4362c8 in _start (/home/src/util-linux/colcrt+0x4362c8) 0x0000013a3d24 is located 8 bytes to the right of global variable 'page' defined in 'text-utils/colcrt.c:73:9' (0x1381240) of size 142044 SUMMARY: AddressSanitizer: global-buffer-overflow /home/src/util-linux/text-utils/colcrt.c:218 colcrt Reported-by: Alaa Mubaied <alaamubaied@gmail.com> Signed-off-by: Sami Kerola <kerolasa@iki.fi> --- text-utils/colcrt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: util-linux-2.25/text-utils/colcrt.c =================================================================== --- util-linux-2.25.orig/text-utils/colcrt.c +++ util-linux-2.25/text-utils/colcrt.c @@ -68,7 +68,7 @@ static void __attribute__ ((__noreturn__ * Option -2 forces printing of all half lines. */ -wchar_t page[267][132]; +wchar_t page[268][133]; int outline = 1; int outcol; @@ -200,6 +200,8 @@ void colcrt(FILE *f) { /* fallthrough */ default: w = wcwidth(c); + if (w < 0) + continue; if (outcol + w > 132) { outcol++; continue;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor