[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gettext] intl: Proof against invalid offset/length

From: Carlos O'Donell
Subject: Re: [bug-gettext] intl: Proof against invalid offset/length
Date: Wed, 11 Mar 2015 02:39:31 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

On 03/11/2015 02:01 AM, Daiki Ueno wrote:
> It is surprising that there are no checks of lengths/offsets read from
> MO files.  Currently, I'm thinking of the attached patch (to gettext),
> which is a bit complicated.  If anyone could suggest a cleaner approach,
> I'd appreciate it.

Why does it surprise you?

The MO files are writable only by root, so it's not a security issue
because if you could write to them you'd be root, and you'd have
full access to the system anyway.

The other alternative is that the filesystem is corrupted and loading
the MO file crashes your application. This is expected since the
filesystem is corrupted. You are suggesting we add some rather complex
checking for the possibly low probability case of a corrupted
filesystem. If the filesystem is corrupted other things will be failing
and you need to fix the corruption.

What strong technical reasons do you have for propsing these additional


reply via email to

[Prev in Thread] Current Thread [Next in Thread]