diff options
| author | Siddhesh Poyarekar <siddhesh@redhat.com> | 2013-09-23 11:24:30 +0530 |
|---|---|---|
| committer | Siddhesh Poyarekar <siddhesh@redhat.com> | 2013-09-23 11:29:53 +0530 |
| commit | 303e567a8062200dc06acde7c76fc34679f08d8f (patch) | |
| tree | 8e0c198956de9addb51216c5cfccd47d7c4be69b /NEWS | |
| parent | 141f3a77fe4f1b59b0afa9bf6909cd2000448883 (diff) | |
| download | glibc-303e567a8062200dc06acde7c76fc34679f08d8f.tar.gz glibc-303e567a8062200dc06acde7c76fc34679f08d8f.tar.xz glibc-303e567a8062200dc06acde7c76fc34679f08d8f.zip | |
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of collation sequences in the strings so that subsequent passes do not have to search through collation data again. For very large string inputs, the cache size computation could overflow. In such a case, use the fallback function that does not cache indices and weights of collation sequences. Fixes CVE-2012-4412.
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/NEWS b/NEWS index 0dbcdbff95..138c735803 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,12 @@ Version 2.19 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15919, 15921, 15923, 15939, 15963, 15966. +* CVE-2012-4412 The strcoll implementation caches indices and rules for + large collation sequences to optimize multiple passes. This cache + computation may overflow for large collation sequences and may cause a + stack or buffer overflow. This is now fixed to use a slower algorithm + which does not use a cache if there is an integer overflow. + * CVE-2012-4424 The strcoll implementation uses malloc to cache indices and rules for large collation sequences to optimize multiple passes and falls back to alloca if malloc fails, resulting in a possible stack overflow. |