Bug#681473: CVE-2012-3404 CVE-2012-3405 CVE-2012-3406
clone 681473 -1
retitle 681473 CVE-2012-3404 CVE-2012-3405
retitle -1 CVE-2012-3406
thanks
On Fri, Jul 13, 2012 at 03:41:23PM +0200, Moritz Muehlenhoff wrote:
> Package: eglibc
> Severity: important
> Tags: security
>
> Hi,
> please see http://www.openwall.com/lists/oss-security/2012/07/11/17 for details
> and references to upstream patches.
>
> The security impact is rather low IMO; if the format strings are under control
> of a attacker, this opens a whole can of worms anyway.
>
> Still, it would be nice to get these fixed for Wheezy and for Squeeze in a point
> update.
>
I'll add the patches for CVE-2012-3404 and CVE-2012-3405 as they come
from upstream and look correct. For CVE-2012-3406 RedHat, as usual,
hasn't submitted the patch upstream and thus it hasn't been reviewed. I
have looked at it quickly and I have to say I don't really like it.
Replacing a call to alloca() by a call to malloc() without checking the
return value is only a small improvement when the attacker can control
the allocation size. Also it means the attacker can DoS the system or
crash the program. To finish malloc() + memmove() + free() is not the
best way to reallocate big chunks of memory when realloc() exists.
I am therefore not planning to apply this patch in the current state,
and thus I am cloning this bug to keep this CVE entry separated from the
others.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
Reply to: