Debian Bug report logs - #772705
libc6: buffer overflow in tzset

version graph

Package: libc6; Maintainer for libc6 is GNU Libc Maintainers <[email protected]>; Source for libc6 is src:glibc (PTS, buildd, popcon).

Reported by: Jakub Wilk <[email protected]>

Date: Wed, 10 Dec 2014 11:33:02 UTC

Severity: normal

Tags: fixed-upstream

Found in version glibc/2.19-13

Fixed in version 2.22-1

Done: Aurelien Jarno <[email protected]>

Bug is archived. No further changes may be made.

Forwarded to https://sourceware.org/bugzilla/show_bug.cgi?id=17715

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], [email protected], GNU Libc Maintainers <[email protected]>:
Bug#772705; Package libc6. (Wed, 10 Dec 2014 11:33:06 GMT) (full text, mbox, link).

Message #3 received at [email protected] (full text, mbox, reply):

From: Jakub Wilk <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: libc6: buffer overflow in tzset
Date: Wed, 10 Dec 2014 12:30:44 +0100
[Message part 1 (text/plain, inline)]
Package: libc6
Version: 2.19-13

The attached crafted timezone file makes tzset(3) crash:

$ TZ=$PWD/crashtz date
*** Error in `date': free(): invalid next size (fast): 0x0916b160 ***
Aborted


Valgrind says:

==7754== Invalid write of size 1
==7754==    at 0x40F7D7D: __tzfile_read (tzfile.c:379)
==7754==    by 0x40F71D1: tzset_internal (tzset.c:447)
==7754==    by 0x40F749E: __tz_convert (tzset.c:632)
==7754==    by 0x40F5BDC: localtime (localtime.c:42)
==7754==    by 0x8049B94: ??? (in /bin/date)
==7754==    by 0x8049885: ??? (in /bin/date)
==7754==    by 0x4069A62: (below main) (libc-start.c:287)
==7754==  Address 0x41fe816 is 6 bytes after a block of size 0 alloc'd
==7754==    at 0x40291CC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7754==    by 0x40F79A1: __tzfile_read (tzfile.c:278)
==7754==    by 0x40F71D1: tzset_internal (tzset.c:447)
==7754==    by 0x40F749E: __tz_convert (tzset.c:632)
==7754==    by 0x40F5BDC: localtime (localtime.c:42)
==7754==    by 0x8049B94: ??? (in /bin/date)
==7754==    by 0x8049885: ??? (in /bin/date)
==7754==    by 0x4069A62: (below main) (libc-start.c:287)
==7754== 
==7754== Invalid write of size 1
==7754==    at 0x40F7DDD: __tzfile_read (tzfile.c:389)
==7754==    by 0x40F71D1: tzset_internal (tzset.c:447)
==7754==    by 0x40F749E: __tz_convert (tzset.c:632)
==7754==    by 0x40F5BDC: localtime (localtime.c:42)
==7754==    by 0x8049B94: ??? (in /bin/date)
==7754==    by 0x8049885: ??? (in /bin/date)
==7754==    by 0x4069A62: (below main) (libc-start.c:287)
==7754==  Address 0x41fe817 is 7 bytes after a block of size 0 alloc'd
==7754==    at 0x40291CC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7754==    by 0x40F79A1: __tzfile_read (tzfile.c:278)
==7754==    by 0x40F71D1: tzset_internal (tzset.c:447)
==7754==    by 0x40F749E: __tz_convert (tzset.c:632)
==7754==    by 0x40F5BDC: localtime (localtime.c:42)
==7754==    by 0x8049B94: ??? (in /bin/date)
==7754==    by 0x8049885: ??? (in /bin/date)
==7754==    by 0x4069A62: (below main) (libc-start.c:287)


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libc6:i386 depends on:
ii  libgcc1  1:4.9.2-6

Versions of packages libc6:i386 recommends:
ii  libc6-i686  2.19-13

-- 
Jakub Wilk

[crashtz (application/octet-stream, attachment)]

Information forwarded to [email protected], GNU Libc Maintainers <[email protected]>:
Bug#772705; Package libc6. (Wed, 10 Dec 2014 11:45:16 GMT) (full text, mbox, link).

Message #6 received at [email protected] (full text, mbox, reply):

From: Jakub Wilk <[email protected]>
To: [email protected]
Subject: Re: Bug#772705: libc6: buffer overflow in tzset
Date: Wed, 10 Dec 2014 12:40:00 +0100
* Jakub Wilk <[email protected]>, 2014-12-10, 12:30:
>$ TZ=$PWD/crashtz date
>*** Error in `date': free(): invalid next size (fast): 0x0916b160 ***
>Aborted

In case you wonder why would anyone want to use a malformed timezone 
file, see bugs #772706 and #772707.

-- 
Jakub Wilk

Set Bug forwarded-to-address to 'https://sourceware.org/bugzilla/show_bug.cgi?id=17715'. Request was from Jakub Wilk <[email protected]> to [email protected]. (Sun, 21 Dec 2014 21:48:11 GMT) (full text, mbox, link).

Information forwarded to [email protected], GNU Libc Maintainers <[email protected]>:
Bug#772705; Package libc6. (Fri, 24 Apr 2015 18:57:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <[email protected]>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <[email protected]>. (Fri, 24 Apr 2015 18:57:05 GMT) (full text, mbox, link).

Message #13 received at [email protected] (full text, mbox, reply):

From: Salvatore Bonaccorso <[email protected]>
To: Jakub Wilk <[email protected]>, [email protected]
Subject: Re: Bug#772705: libc6: buffer overflow in tzset
Date: Fri, 24 Apr 2015 20:54:49 +0200
Hi

This should be addressed with the followign commit:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42261ad731

See: http://www.openwall.com/lists/oss-security/2015/04/24/3

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from [email protected] to [email protected]. (Mon, 27 Apr 2015 16:33:24 GMT) (full text, mbox, link).

Reply sent to Aurelien Jarno <[email protected]>:
You have taken responsibility. (Mon, 07 Mar 2016 17:51:45 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <[email protected]>:
Bug acknowledged by developer. (Mon, 07 Mar 2016 17:51:45 GMT) (full text, mbox, link).

Message #20 received at [email protected] (full text, mbox, reply):

From: Aurelien Jarno <[email protected]>
To: Salvatore Bonaccorso <[email protected]>
Cc: Jakub Wilk <[email protected]>, [email protected]
Subject: Re: Bug#772705: libc6: buffer overflow in tzset
Date: Mon, 7 Mar 2016 18:46:58 +0100
Version: 2.22-1

On 2015-04-24 20:54, Salvatore Bonaccorso wrote:
> Hi
> 
> This should be addressed with the followign commit:
> 
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42261ad731
> 
> See: http://www.openwall.com/lists/oss-security/2015/04/24/3

This commit is part of glibc 2.22, which is now in sid. I am therefore
closing the bug with this version.

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
[email protected]                 http://www.aurel32.net

Bug archived. Request was from Debbugs Internal Request <[email protected]> to [email protected]. (Wed, 06 Apr 2016 07:25:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Thu Jun 20 16:12:00 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.