EditorConfig Core C Stack-Based Buffer Overflow Vulnerability in ec_glob() Function Allowing Denial-of-Service

A stack-based buffer overflow vulnerability has been identified in the EditorConfig Core C library, specifically in versions through 0.12.10. The issue arises in the ec_glob() function, where an unbounded strcpy operation allows an attacker to overwrite the stack. This vulnerability can be exploited by crafting a specific directory structure and .editorconfig file, leading to a crash of any application that uses libeditorconfig. On Ubuntu 24.04, this overflow is converted into a SIGABRT signal, causing a denial-of-service condition. This vulnerability represents an incomplete fix for CVE-2023-0341, as the pcre_str buffer was properly protected in version 0.12.6, but the adjacent l_pattern stack buffer remained vulnerable.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to a crash of the application. On systems with FORTIFY_SOURCE enabled, such as Ubuntu 24.04, this results in a SIGABRT signal, causing a denial-of-service condition. While the overflow could potentially overwrite adjacent stack data, no remote code execution has been demonstrated.

Reproduction

The vulnerability can be reproduced by creating a directory structure that includes a deeply nested path and a .editorconfig file with a section name that exceeds the buffer limit. This crafted directory can then be accessed using an application that integrates with EditorConfig and is linked against the vulnerable version of libeditorconfig, such as gnome-text-editor on Ubuntu 24.04.

Remediation

Users can upgrade to EditorConfig Core C version 0.12.11, which includes a proper fix for this vulnerability.