Bug#772705: marked as done (libc6: buffer overflow in tzset)

To: Aurelien Jarno <aurelien@aurel32.net>
Subject: Bug#772705: marked as done (libc6: buffer overflow in tzset)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 07 Mar 2016 17:51:45 +0000
Message-id: <[🔎] handler.772705.D772705.145737282219416.ackdone@bugs.debian.org>
References: <20160307174658.GA28636@aurel32.net> <20141210113043.GA7613@jwilk.net>

Your message dated Mon, 7 Mar 2016 18:46:58 +0100
with message-id <20160307174658.GA28636@aurel32.net>
and subject line Re: Bug#772705: libc6: buffer overflow in tzset
has caused the Debian Bug report #772705,
regarding libc6: buffer overflow in tzset
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libc6: buffer overflow in tzset
From: Jakub Wilk <jwilk@debian.org>
Date: Wed, 10 Dec 2014 12:30:44 +0100
Message-id: <20141210113043.GA7613@jwilk.net>

Package: libc6
Version: 2.19-13

The attached crafted timezone file makes tzset(3) crash:

$ TZ=$PWD/crashtz date
*** Error in `date': free(): invalid next size (fast): 0x0916b160 ***
Aborted


Valgrind says:

==7754== Invalid write of size 1
==7754==    at 0x40F7D7D: __tzfile_read (tzfile.c:379)
==7754==    by 0x40F71D1: tzset_internal (tzset.c:447)
==7754==    by 0x40F749E: __tz_convert (tzset.c:632)
==7754==    by 0x40F5BDC: localtime (localtime.c:42)
==7754==    by 0x8049B94: ??? (in /bin/date)
==7754==    by 0x8049885: ??? (in /bin/date)
==7754==    by 0x4069A62: (below main) (libc-start.c:287)
==7754==  Address 0x41fe816 is 6 bytes after a block of size 0 alloc'd
==7754==    at 0x40291CC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7754==    by 0x40F79A1: __tzfile_read (tzfile.c:278)
==7754==    by 0x40F71D1: tzset_internal (tzset.c:447)
==7754==    by 0x40F749E: __tz_convert (tzset.c:632)
==7754==    by 0x40F5BDC: localtime (localtime.c:42)
==7754==    by 0x8049B94: ??? (in /bin/date)
==7754==    by 0x8049885: ??? (in /bin/date)
==7754==    by 0x4069A62: (below main) (libc-start.c:287)

==7754====7754== Invalid write of size 1

==7754==    at 0x40F7DDD: __tzfile_read (tzfile.c:389)
==7754==    by 0x40F71D1: tzset_internal (tzset.c:447)
==7754==    by 0x40F749E: __tz_convert (tzset.c:632)
==7754==    by 0x40F5BDC: localtime (localtime.c:42)
==7754==    by 0x8049B94: ??? (in /bin/date)
==7754==    by 0x8049885: ??? (in /bin/date)
==7754==    by 0x4069A62: (below main) (libc-start.c:287)
==7754==  Address 0x41fe817 is 7 bytes after a block of size 0 alloc'd
==7754==    at 0x40291CC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7754==    by 0x40F79A1: __tzfile_read (tzfile.c:278)
==7754==    by 0x40F71D1: tzset_internal (tzset.c:447)
==7754==    by 0x40F749E: __tz_convert (tzset.c:632)
==7754==    by 0x40F5BDC: localtime (localtime.c:42)
==7754==    by 0x8049B94: ??? (in /bin/date)
==7754==    by 0x8049885: ??? (in /bin/date)
==7754==    by 0x4069A62: (below main) (libc-start.c:287)


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libc6:i386 depends on:
ii  libgcc1  1:4.9.2-6

Versions of packages libc6:i386 recommends:
ii  libc6-i686  2.19-13

--
Jakub Wilk

Attachment: crashtz
Description: Binary data

--- End Message ---

--- Begin Message ---

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Jakub Wilk <jwilk@debian.org>, 772705-done@bugs.debian.org

Subject: Re: Bug#772705: libc6: buffer overflow in tzset

From: Aurelien Jarno <aurelien@aurel32.net>

Date: Mon, 7 Mar 2016 18:46:58 +0100

Message-id: <20160307174658.GA28636@aurel32.net>

In-reply-to: <20150424185449.GA1279@eldamar.local>

References: <20141210113043.GA7613@jwilk.net> <20150424185449.GA1279@eldamar.local>
Version: 2.22-1

On 2015-04-24 20:54, Salvatore Bonaccorso wrote:
> Hi
> 
> This should be addressed with the followign commit:
> 
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42261ad731
> 
> See: http://www.openwall.com/lists/oss-security/2015/04/24/3

This commit is part of glibc 2.22, which is now in sid. I am therefore
closing the bug with this version.

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net
--- End Message ---

Reply to:

Prev by Date: Bug#816742: marked as done (libc6: sem_post/sem_wait not working for 32bit to 64bit inter-process communication)
Next by Date: Bug#790847: marked as done (Fwd: Emoji in lynx)
Previous by thread: [glibc] 01/01: New changelog entry
Next by thread: Bug#790847: marked as done (Fwd: Emoji in lynx)
Index(es):
- Date
- Thread