Allele Security Alert
ASA-2019-00403
Identifier(s)
ASA-2019-00403, CVE-2019-5600, FreeBSD-SA-19:09.iconv.asc
Title
iconv buffer overflow
Vendor(s)
The FreeBSD Project
Product(s)
FreeBSD
Affected version(s)
All supported versions of FreeBSD
Fixed version(s)
2019-07-03 00:01:38 UTC (stable/12, 12.0-STABLE)
2019-07-03 00:00:39 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-07-03 00:03:14 UTC (stable/11, 11.3-PRERELEASE)
2019-07-03 00:00:39 UTC (releng/11.3, 11.3-RC3-p1)
2019-07-03 00:00:39 UTC (releng/11.2, 11.2-RELEASE-p11)
Proof of concept
Unknown
Description
The iconv(3) API converts text data from one character encoding to another and is available as part of the standard C library (libc).
With certain inputs, iconv may write beyond the end of the output buffer.
Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons.
Technical details
Unknown
Workaround
Unknown
Credits
Andrea Venturoli (NetFence)
Reference(s)
iconv buffer overflow
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:09.iconv.asc
[base] Revision 349622
https://svnweb.freebsd.org/base?view=revision&revision=r349622
[base] Revision 349621
https://svnweb.freebsd.org/base?view=revision&revision=r349621
[base] Revision 349624
https://svnweb.freebsd.org/base?view=revision&revision=r349624
CVE-2019-5600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5600
CVE-2019-5600
https://nvd.nist.gov/vuln/detail/CVE-2019-5600
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 3, 2019