Vigil@nce - glibc: use after free via posix_spawn_file_actions_addopen
June 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a freed memory area in the implementation of
the posix_spawn_file_actions_addopen() function in the glibc, in
order to trigger a denial of service, and possibly to execute code.
Impacted products: Unix (platform)
Severity: 2/4
Creation date: 13/06/2014
DESCRIPTION OF THE VULNERABILITY
The posix_spawn_file_actions_addopen() function of the glibc adds
an event manager on a file descriptor:
int posix_spawn_file_actions_addopen(file_actions, fd, path,
...);
However, it does not copy the path for its internal usage. If the
calling process frees the memory area containing this path, this
function thus continues to use it.
An attacker can therefore use a freed memory area in the
implementation of the posix_spawn_file_actions_addopen() function
in the glibc, in order to trigger a denial of service, and
possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-use-after-free-via-posix-spawn-file-actions-addopen-14900