Vigil@nce: glibc, integer overflow via fnmatch
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When an attacker can transmit a value to the fnmatch() function of
the glibc, he can stop the application.
– Severity: 1/4
– Creation date: 12/04/2011
IMPACTED PRODUCTS
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The fnmatch() function of the glibc checks if a string matches a
pattern:
fnmatch(pattern, string, flags);
For example:
if (fnmatch("*.txt", "file.txt", 0)) ...
This function allocates a memory area to store the string.
However, if the size of the string is 0x3fffffff, the operation
"(size+1)*4" overflows, and the fnmatch() function tries to read
at an invalid memory address.
When an attacker can transmit a value to the fnmatch() function of
the glibc, he can therefore stop the application.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-integer-overflow-via-fnmatch-10536