[flashrom] [Security Announcement] fscanf format string security bug in flashrom layout code

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Sun Mar 13 18:38:21 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

On 13.03.2016 18:29, Carl-Daniel Hailfinger wrote:
> An internal security audit of the flashrom project by
> Carl-Daniel Hailfinger found a buffer overflow bug present in all
> flashrom versions since the year 2005.
> This bug was independently found and reported to flashrom.org by
> Cosmin Gorgovan a few days ago.
> 
> A buffer on the stack and a buffer on the heap are affected by the
> overflow caused by an incorrect fscanf format string.
> The buffer overflow can only be triggered if the optional layout feature
> is used and if the user manually specifies a specially crafted layout
> file on the command line. Command line parsing and flash image handling
> do not trigger the buggy code path.
> Most usage of flashrom does not involve layout files.
> 
> The fix in this commit (changed fscanf format string) can be applied to
> layout.c of all past flashrom versions.
> 
> Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net>
> Acked-by: Stefan Tauner <stefan.tauner at alumni.tuwien.ac.at>

Committed in r1953.

Regards,
Carl-Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iD8DBQFW5aWNRdNMz2eF/AERAgYrAJ0SzPNjYPs7skeFg4/ko0H6z3S2WwCeJ+aL
MXdaNHOr5u0W6XFqmoTW2Uo=
=Q91L
-----END PGP SIGNATURE-----




More information about the flashrom mailing list