home.social

#iconv — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #iconv, aggregated by home.social.

  1. Today in "this should not have been a ": github.com/DrHyde/shellscripts

    The around the invocation of are for portability (some versions of it DIE if you silence STDOUT the normal way by redirecting it to /dev/null) and then once it was a three line script I thought "wouldn't it be nice if it took arguments, and had doco, and handled errors", and at no point was solving the next little problem enough to make me re-write it in a better language, and then ... 1/2

  2. Buffer Overflow in GNU C Library Affects Older Versions

    Date: April 17, 2024

    CVE: CVE-2024-2961

    Vulnerability Type: Out-of-bounds Write

    CWE: [[CWE-787]]

    Sources: SecurityVulnerability.io, NVD Mitigation blog

    Issue Summary

    A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.

    Technical Key Findings

    The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.

    Vulnerable Products

    All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)

    Impact Assessment

    The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.

    Patches or Workaround

    The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.

    Check if you are vulnerable

    // The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).

    ldd --version

    // Check if the vulnerable encodings are enabled in iconv:

    iconv -l | grep -E 'CN-?EXT'

    If they are, you will see an output like:

    ISO-2022-CN-EXT//
    ISO2022CNEXT//

    Tags

    #GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc

  3. tl;dr: upgrade glibc on your servers!

    Summing it up, there's a vulnerability (CVE-2024-2961) on glibc that, apparently, can be used to get RCE on servers running PHP.
    It's recommended that you update glibc to a patched version.

    security-tracker.debian.org/tr
    bugzilla.redhat.com/show_bug.c

    There's an upcoming talk on May 10 where the researcher will explain how it was used to hack PHP servers.

    offensivecon.org/speakers/2024

    #PHP #glibc #iconv

  4. #iconv & #csvq to the rescue!
    Damit lässt sich wenigstens ein Teil der Kaputtheit umgehen.

    Es ist trotzdem frustrierend, dass es an so basalen Dingen bei einer derart riesigen Organisation wie der #DSGV scheitert und man um deren Unzulänglichkeiten herum arbeiten muss.

    Immerhin kann ich jetzt mal wieder meine csvq-Skills auffrischen.
    Ein absolut geniales Tool, mit welchem sich ein CSV/TSV/JSON-File wie eine SQL-DB abfragen & bearbeiten lässt:
    mithrandie.github.io/csvq/

    #CSV #Neuland #Sparkasse