Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp1962180lqb; Mon, 27 May 2024 03:32:18 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV0/3KMAjoYQo3nVomPZE1wHqRB18XyqlXlg3T9Wt4ANpECO5U4lBTFim1UnoFlA9gfQQ3+rRAcLcE73+xCGRglIUz7mUsKundZisbigw== X-Google-Smtp-Source: AGHT+IFh9bYaC6ue9auWKUD9hDrF3EjxREQxRfrjs2agn1kYIuKMaogavjXBCTo4Hd+kgYCEShTn X-Received: by 2002:a50:d509:0:b0:578:4313:df10 with SMTP id 4fb4d7f45d1cf-578519a926fmr9363865a12.31.1716805938391; Mon, 27 May 2024 03:32:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1716805938; cv=none; d=google.com; s=arc-20160816; b=O3u6KhNheTqI8fjCKqHskk/QWFQRpodsHjFe4U3oiYTTgGYAZJmkreIkg2XksDK+Jo WWGf6hPY7Q3jbeQuFdRLcNEZlhYhuBcd0Dg2yxYNxrcOs+kezIqEHvtjYVz4hIpLhY9d LfWAxXHGQXeOYDwxmD1oKDIVPWG+sx3IP8g0FJjEUa2YmZMZp527uBOY6WDoI3zWz/sO HtMqCaPwVmLmWe3+2vi/IXHv2eJ6iaqyl3grb8ROuL3z3XkAPQsiDxshZc5w0goo9V/f ZCkodSZG827ptW6QYlsVa5ePPN6xGcdSL9y1tLmLr1by8WIdQ+mE7bTRjN1DNYxMj+l8 px5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:user-agent:message-id:date:references :in-reply-to:cc:to:from:dkim-signature:delivered-to:reply-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list; bh=5NtPGkJD0TOJ7cKewqkcozNNEz0Kk+/on3Z3B8NgPsI=; fh=j03iVYjtADL3N37gb+x2NnxvJLRFNBNafvSUcqGJjY8=; b=yzEZf8S4CxjtNtj8WRAdMvY+kBU93jc2/vxo5QeAUBpd5WATSP0GUwi2UvgXi9cTyX HMl7wbUhZIqO3kvwpqdPZRL4Daiwt7/9r1GoN8TAunKdK4icHi3kQIMQugivNS6ssU/V qxgI44wZ1xcpIvIDzrYHdf2GFXTjkx1KpDMVN+f1MZsC2VcomvnXFgfTbspfg3o9RNS4 02UnInDoamhQLJIABiWkOPkNDbU20ZsqINpJA965sFgN+7qyDXj4y6DCYbCifhS1wEs7 emAUyWsN1XrkbR0lNZ4/jkJ43/NxIMW3mc/gHpbOwxWqSC9Xx+nEf/9Mw3FgBiT6FGOJ GN6Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@redhat.com header.s=mimecast20190719 header.b=c+GacIKE; spf=pass (google.com: domain of oss-security-return-30165-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30165-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id 4fb4d7f45d1cf-578524b53d7si3746727a12.550.2024.05.27.03.32.18 for ; Mon, 27 May 2024 03:32:18 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30165-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@redhat.com header.s=mimecast20190719 header.b=c+GacIKE; spf=pass (google.com: domain of oss-security-return-30165-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30165-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (qmail 7621 invoked by uid 550); 27 May 2024 10:32:01 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 7594 invoked from network); 27 May 2024 10:32:01 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1716805912; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=5NtPGkJD0TOJ7cKewqkcozNNEz0Kk+/on3Z3B8NgPsI=; b=c+GacIKE+hNETlkrwedmL4k0mFBJPFtK0FDuAYYg7TjXGosVY7DY3QWVD75OK+zio54kmM lSsAMuk6yn0tZv6r89uqVv+ZUMVxNOdAIna9rzc5R2Z16loxDplxhvtb3k758M45i5IMdI SlTqmwHkcXIvH2Mvr/4ksNQtIO7WOX0= X-MC-Unique: W30cRESUMfqjmbk9nuTL0g-1 From: Florian Weimer To: Charles Fol Cc: oss-security@lists.openwall.com In-Reply-To: <7789a6d5-92c9-4239-8a07-7b0131ed166b@lexfo.fr> (Charles Fol's message of "Mon, 27 May 2024 11:16:53 +0200") References: <23c15272-d797-4c3c-bbfb-e462c900978f@gmail.com> <20240418164242.GA2468@openwall.com> <7789a6d5-92c9-4239-8a07-7b0131ed166b@lexfo.fr> Date: Mon, 27 May 2024 12:31:46 +0200 Message-ID: <87bk4r1r71.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain Subject: Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence * Charles Fol: > Hello all, > > Although very late, here is a follow up explaining the impact of the > vulnerability. > > Provided that you can force an application to convert a partially > controlled buffer to ISO-2022-CN-EXT, you get an > overflow of 1 to 3 bytes whose value you don't control. > > This can be triggered in at least two ways in PHP: > > - Through direct calls to iconv() > - Through the use of PHP filters (i.e. using a "file read" vulnerability) > > Due to the way PHP's heap is built, you can use such a memory > corruption to alter part of a free list pointer, > which can in turn give you an arbitrary write primitive in the > program's memory. > > With this bug, any person that has a file read vulnerability with a > controlled prefix on a PHP application has RCE. Out of curiosity, why would PHP translate a file to ISO-2022-CN-EXT while reading it? It's not even an ASCII-transparent charset. Thanks, Florian