lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4D2C7857.3000003@halfdog.net>
Date: Tue, 11 Jan 2011 15:33:43 +0000
From: halfdog <me@...fdog.net>
To: Maksymilian Arciemowicz <cxib@...urityreason.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: GNU libc/regcomp(3) Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

aksymilian Arciemowicz wrote:
> [ GNU libc/regcomp(3) Multiple Vulnerabilities ]
> 
> Author: Maksymilian Arciemowicz
> http://securityreason.com/
> http://cxib.net/
> Date:
> - Dis.: 01.10.2010
> - Pub.: 07.01.2011
> 
> CERT: VU#912279
> CVE:
> CVE-2010-4051
> CVE-2010-4052

Nice find, but not the first one, look at:

https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/343894

I just reported the issue to ubuntu so see how their bug tracking team
was performing on an issue where a standard byte-array-fuzzer just
needed 2secs to find it. I wanted to know, if they could detect a
misclassified issue (was not reported as security bug) and bring it to a
fix. I would have bet, that they would be faster than you, but it seems
that you made the race. What I learned from the excercise (see bug
report date March 2009), is that the ubuntu launchpad platform is an
invaluable source of exploits when used together with google mining.

As to the regexes: If you want to start collecting CVEs, many other
programs are also vulnerable to regex resource exhaustion, e.g. using
postgres extended regulars.

As for the segfaults: The problem with memory-allocation errors is quite
common in many programs and not only restricted to regular expressions.
Even many suid-binaries have quite funny behavior when limiting
resources, e.g. to trigger null-pointer deref in sudoedit on lucid,

(gdb) bt
#0  __tsearch (key=0xbfb3e4e0, vrootp=0x1c, compar=0xb14490 <known_compare>)
    at tsearch.c:251
#1  0x00b1407e in *__GI___nss_lookup_function (ni=0x0,
    fct_name=0xb691bb "setpwent") at nsswitch.c:342

See http://www.halfdog.net/Security/LowMemoryProgramCrashing/


- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFNLHisxFmThv7tq+4RAjcXAKCDfYYFfZnSsMbiOg9r3rx62K5tqQCfUHc2
rKfqZKcJnG6KifMjFfXgUMM=
=5JXJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ