-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
glibc-2.39-69.el10
-
Low
-
cb4692ce1edd5a81c2521de49dfef6125141d1c7
-
1
-
rhel-pt-c-libs
-
ssg_platform_tools
-
1
-
False
-
False
-
-
No
-
PT C Libraries 2025 S13
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
-
All
-
Linux
-
None
We should backport this upstream commit:
commit cb4692ce1edd5a81c2521de49dfef6125141d1c7
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Dec 27 09:17:41 2024 +0100
libio: asprintf should write NULL upon failure
This was suggested most recently by Solar Designer, noting
that code replacing vsprintf with vasprintf in a security fix
was subtly wrong:
Re: GStreamer Security Advisory 2024-0003: Orc compiler
stack-based buffer overflow
<https://www.openwall.com/lists/oss-security/2024/07/26/2>
Previous libc-alpha discussions:
I: [PATCH] asprintf error handling fix
<https://inbox.sourceware.org/libc-alpha/20011205185828.GA8376@ldv.office.alt-linux.org/>
asprintf() issue
<https://inbox.sourceware.org/libc-alpha/CANSoFxt-cdc-+C4u-rTENMtY4X9RpRSuv+axDswSPxbDgag8_Q@mail.gmail.com/>
I don't think we need a compatibility symbol for this. As the
GStreamer example shows, this change is much more likely to fix bugs
than cause compatibility issues.
Suggested-by: Dmitry V. Levin <ldv@altlinux.org>
Suggested-by: Archie Cobbs <archie.cobbs@gmail.com>
Suggested-by: Solar Designer <solar@openwall.com>
Reviewed-by: Sam James <sam@gentoo.org>
A lot of software assumes that it's always possible to free the pointer, whether asprintf succeeds or not, and this change adjusts glibc accordingly.
- links to
-
RHBA-2025:154471
glibc update