131 lines
4.9 KiB
Text
131 lines
4.9 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-14:15.iconv Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: iconv(3) NULL pointer dereference and out-of-bounds array access
|
|
|
|
Category: core
|
|
Module: libc/iconv
|
|
Announced: 2014-06-24
|
|
Credits: Manuel Mausz, Tijl Coosemans
|
|
Affects: FreeBSD 10.0
|
|
Corrected: 2014-03-04 12:43:10 UTC (stable/10, 10.0-STABLE)
|
|
2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
|
|
CVE Name: CVE-2014-3951
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:http://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The iconv(3) API allows converting text data from one character set
|
|
encoding to another. Applications first open a converter between two
|
|
encodings using iconv_open(3) and then convert text using iconv(3).
|
|
HZ is an encoding of the GB2312 character set used for simplified
|
|
Chinese characters. VIQR is an encoding for Vietnamese characters.
|
|
|
|
II. Problem Description
|
|
|
|
A NULL pointer dereference in the initialization code of the HZ module and
|
|
an out of bounds array access in the initialization code of the VIQR module
|
|
make iconv_open(3) calls involving HZ or VIQR result in an application crash.
|
|
|
|
III. Impact
|
|
|
|
Services where an attacker can control the arguments of an iconv_open(3)
|
|
call can be caused to crash resulting in a denial-of-service. For example,
|
|
an email encoded in HZ may cause an email delivery service to crash if it
|
|
converts emails to a more generic encoding like UTF-8 before applying
|
|
filtering rules.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems that do not process untrusted
|
|
Chinese or Vietnamese input are not affected by this vulnerability.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 10.0]
|
|
# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch
|
|
# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch.asc
|
|
# gpg --verify iconv.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart all deamons using the library, or reboot the system.
|
|
|
|
3) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r262731
|
|
releng/10.0/ r267829
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3951>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:15.iconv.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2
|
|
|
|
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnmqsP/1VXkGjjBB34Qh43HGxmVofB
|
|
8Zfkc19nQtHvQaS+wAUfm10Onu2QJUPPm5OZL+kYYxJs1G4/VLTDTl/7cHBkCoA0
|
|
abdDpRbtG6CMHfnaARpMOAkg+uvHl41pjHgr+mi4TRYivzSNp+qfw8BsPJ21DAS6
|
|
Om6H6m+ggHjTXrtniBtQ+os2wfxbGGMJQzL94QC+tyzzFTEknIt8lgn6hboh99eV
|
|
pQb8WnSRCPuyiw+hKHdOOS7er7ZCIy9l0VWWfyJzcZP3/W5q6qSNCdnMUNZsTk0L
|
|
ruiUrhRjookK6/3VKb+9/YMfpB8xuQad2fk2mbQZkaxdSVJyFIfOI6Y9PJYbx9BP
|
|
Z7Bp0qyEGs+5/CZhiSwr2E/3k7kNe+30dvbPE0SBw9JNS4T0FyzlRUM4Y8s843Lf
|
|
GUcacSLcgCv8DUU517GmTL+UvnE+dajppr/vueRTC2T0mj8OX1qukq1Rjs9RpZkc
|
|
l2ajo3TbMZjwwivEsJEI2706tqv2v7+xON6WrZbUvbXlp4Kw7v01pS2Z3DFIeK8d
|
|
D9H80XuBIM6ZvMUd3NZHBGBjcxYEHvB5hM26ceCAP/ZvOSa4jp8vVQcPVONwj55n
|
|
RvX+K66t3yGiRznjhUUL+/8T9ulcI8TomgKL+U3UXasinYU9F4v55yXRugYvgnig
|
|
jh8e1kgmRt2rt5ZLthe5
|
|
=Wr8S
|
|
-----END PGP SIGNATURE-----
|