[v3.0] coreutils: heap overflow and buffer overflow (CVE-2015-4041, CVE-2015-4042)
CVE-2015-4041
a heap overflow can be triggered in sort(1) as per:
https://bugzilla.suse.com/show\_bug.cgi?id=928749
src/sort.c (keycompare_mb) … The current implementation is character based, so we allocate the worst case size for the conversion buffer, which is MB_CUR_MAX for each input byte.
This appears to be caused by performing a size calculation without
properly considering the number of bytes occupied by multibyte
characters.
CVE-2015-4042
There is also a theoretical buffer overflow with data around
SIZE_MAX/2.
This appears to be related to the new “SIZE_MAX - lenb - 2 < lena”
test, which is not specifically associated with use of multibyte
characters. Use CVE-2015-4042.
Reference: http://www.openwall.com/lists/oss-security/2015/05/19/15
https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940
(from redmine: issue id 4308, created on 2015-06-12, closed on 2017-09-05)
- Relations:
- parent #4307