Vigil@nce - glibc: unreachable memory reading via fnmatch
March 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a read at an invalid address in fnmatch() of
the glibc, in order to trigger a denial of service.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 26/02/2015
DESCRIPTION OF THE VULNERABILITY
The fnmatch() function of the glibc checks if a string matches a
pattern:
fnmatch(pattern, string, flags);
For example:
if (fnmatch("*.txt", "file.txt", 0)) ...
However, if the pattern contains an unclosed ’[’, the
internal_fnmatch() function tries to read a memory area which is
not reachable, which triggers a fatal error.
An attacker can therefore force a read at an invalid address in
fnmatch() of the glibc, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-unreachable-memory-reading-via-fnmatch-16275