Bug 101691

Summary: CAN-2003-0689 Buffer overrun in getgrouplist function in initgroups.c
Product: [Retired] Red Hat Linux Reporter: Matt Seitz <mseitz>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/grp/initgroups.c.diff?r1=1.28&r2=1.29&cvsroot=glibc
Whiteboard:
Fixed In Version: 2.2.5-44 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-11-13 19:23:50 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Matt Seitz 2003-08-05 12:30:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030708

Description of problem:
There is a buffer overrun bug in the "getgroupslist" function in
"libc/grp/initgroups.c".  The "getgrouplist" function always copies all the
groups returned by "internal_getgrouplist", even if this is greater than the
"ngroups" parameter.  This bug can cause segfaults in Samba 3.0.  


Version-Release number of selected component (if applicable):
glibc-2.2.5-43

How reproducible:
Always

Steps to Reproduce:
1.  Pass "getgroupslist" an "ngroups" count that is less than the number of
groups and a "groups" buffer that is not large enough to hold the entire list of
groups. 
    

Actual Results:  The "getgroupslist" function will copy the entire list of
groups to the buffer, overrunning the end of the buffer 

Expected Results:  The "getgrouplist" buffer should only copy the number of
groups specified in the "ngroups" parameter

Additional info:

The bug was corrected in revision 1.29 of "libc/grp/initgroups.c".  However,
this fix is not present in the current "glibc" release for Red Hat 7.3.
Comment 1 Matt Seitz 2003-08-05 13:35:53 EDT
Sorry, that should have said "getgrouplist", not "getgroupslist"
Comment 2 Matt Seitz 2003-08-05 13:41:34 EDT
Changed summarry to make searching easier:
-Removed quotation marks from getgrouplist
-Added initgroups.c
Comment 3 David Lawrence 2003-08-22 17:09:53 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-249.html
Comment 4 Matt Seitz 2003-09-10 10:58:41 EDT
The errata mentioned in Comment #3 does not include a fix for Red Hat 7.3, the
version I am using.  So that errata does not solve my problem.
Comment 5 Mark J. Cox (Product Security) 2003-10-30 05:39:47 EST
We're still working on this issue for RHL releases where upgrading glibc has
some side effects.
Comment 6 Matt Seitz 2003-10-30 12:17:44 EST
Thank you for the update and continuing to work on this issue.

Could the side effects be minimized by taking the existing glibc 2.2.5-43,
adding the fix from "libc/grp/initgroups.c" rev. 1.29, and releasing a glibc
2.2.5-44?  
Comment 7 Matt Seitz 2003-11-12 14:37:01 EST
I just saw that Red Hat has released a glibc 2.2.5-44 that claims to
fix this problem.  Thank you for following through on this.
Comment 8 Ulrich Drepper 2003-11-13 19:23:50 EST
We do not provide support for non-standard glibcs.  If you want to do
it you're on your own.  No change which goes into an errata
(especially for a release that old) is not needed.  By leaving out
changes you are doing something we don't regard as smart.
Comment 9 Matt Seitz 2003-11-17 19:28:31 EST
I'm sorry, I wasn't clear when I wrote comment #6.  I did not want to
compile my own "glibc".  Rather, I was suggesting how Red Hat could
release an errata for 7.3 with a minimum of changes.

Red Hat has since released an official errata, RHSA-2003:325-10
(https://rhn.redhat.com/errata/RHSA-2003-325.html), which fixes the
problem.  I now use that version.  I appreciate Red Hat releasing an
official fix for 7.3 before it reaches End of Life.