Bug 101691
| Summary: | CAN-2003-0689 Buffer overrun in getgrouplist function in initgroups.c | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Matt Seitz <mseitz> |
| Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | fweimer |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| URL: | http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/grp/initgroups.c.diff?r1=1.28&r2=1.29&cvsroot=glibc | ||
| Whiteboard: | |||
| Fixed In Version: | 2.2.5-44 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-11-14 00:23:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Sorry, that should have said "getgrouplist", not "getgroupslist" Changed summarry to make searching easier: -Removed quotation marks from getgrouplist -Added initgroups.c An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2003-249.html The errata mentioned in Comment #3 does not include a fix for Red Hat 7.3, the version I am using. So that errata does not solve my problem. We're still working on this issue for RHL releases where upgrading glibc has some side effects. Thank you for the update and continuing to work on this issue. Could the side effects be minimized by taking the existing glibc 2.2.5-43, adding the fix from "libc/grp/initgroups.c" rev. 1.29, and releasing a glibc 2.2.5-44? I just saw that Red Hat has released a glibc 2.2.5-44 that claims to fix this problem. Thank you for following through on this. We do not provide support for non-standard glibcs. If you want to do it you're on your own. No change which goes into an errata (especially for a release that old) is not needed. By leaving out changes you are doing something we don't regard as smart. I'm sorry, I wasn't clear when I wrote comment #6. I did not want to compile my own "glibc". Rather, I was suggesting how Red Hat could release an errata for 7.3 with a minimum of changes. Red Hat has since released an official errata, RHSA-2003:325-10 (https://rhn.redhat.com/errata/RHSA-2003-325.html), which fixes the problem. I now use that version. I appreciate Red Hat releasing an official fix for 7.3 before it reaches End of Life. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030708 Description of problem: There is a buffer overrun bug in the "getgroupslist" function in "libc/grp/initgroups.c". The "getgrouplist" function always copies all the groups returned by "internal_getgrouplist", even if this is greater than the "ngroups" parameter. This bug can cause segfaults in Samba 3.0. Version-Release number of selected component (if applicable): glibc-2.2.5-43 How reproducible: Always Steps to Reproduce: 1. Pass "getgroupslist" an "ngroups" count that is less than the number of groups and a "groups" buffer that is not large enough to hold the entire list of groups. Actual Results: The "getgroupslist" function will copy the entire list of groups to the buffer, overrunning the end of the buffer Expected Results: The "getgrouplist" buffer should only copy the number of groups specified in the "ngroups" parameter Additional info: The bug was corrected in revision 1.29 of "libc/grp/initgroups.c". However, this fix is not present in the current "glibc" release for Red Hat 7.3.