[PATCH FOR REVIEW] Potential Buffer Overflow in java_props_md.c

Andrew Hughes ahughes at redhat.com
Wed Aug 1 20:44:08 UTC 2012 

----- Original Message -----
> Hi Andrew,
> 
> No, I'm NOT against to fix this "potential" risk at all. Just tried
> to
> point out that this
> might not be an "immediate" breach.
> 

Oh, I know.  Just might be nice to get the patch in after four years :-)

> It was a mistake to drop the list.
> 

No problem.  I don't want to post a mail publicly if it was meant to be private.

> -Sherman
> 
> On 08/01/2012 01:11 PM, Andrew Hughes wrote:
> > ----- Original Message -----
> >> On 08/01/2012 06:52 AM, Andrew Hughes wrote:
> >>
> >>
> >>
> >> Also if you read the old mails then you'll see that we were
> >> scratching
> >> our heads as to an example that would demonstrate the original
> >> issue.
> >> I
> >> suspect it may have been something that someone spotted rather
> >> than
> >> someone running with a locale of this length. Well, the locale can
> >> be
> >> set be an environment variable, so it could potentially
> >> be anything of any length...
> >>
> >> The Debian bug posted above has an example, though I couldn't
> >> replicate it.
> >> The spec says
> >>
> >> " If the value of any of these environment variable searches
> >> yields a
> >> locale that is not supported (and non-null), setlocale () shall
> >> return a null pointer and the locale of the process shall not be
> >> changed..."
> >>
> >> So basically setLocale() should not return whatever you set in
> >> your
> >> corresponding environment variable, it only
> >> returns if such a "supported"/installed locale exists. I doubt
> >> there
> >> is a such a locale anywhere on a real platform.
> >> But in theory that could happen, if you try to config a locale
> >> with
> >> name>  64 and successfully install it.
> >>
> >>
> >> -Sherman
> >>
> >>
> >>
> > I still don't see any reason not to just close the hole.  AFAICS,
> > it's
> > also feasibly possible for a variant to appear in the future that
> > takes
> > the length over 63 characters.
> >
> > Any reason you didn't reply on list?
> >
> > Thanks,
> 
> 

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the core-libs-dev mailing list