Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CAN-2003-0689 Buffer overrun in getgrouplist function in initgroups.c|
|Product:||[Retired] Red Hat Linux||Reporter:||Matt Seitz <mseitz>|
|Component:||glibc||Assignee:||Jakub Jelinek <jakub>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||2.2.5-44||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2003-11-13 19:23:50 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Matt Seitz 2003-08-05 12:30:52 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030708 Description of problem: There is a buffer overrun bug in the "getgroupslist" function in "libc/grp/initgroups.c". The "getgrouplist" function always copies all the groups returned by "internal_getgrouplist", even if this is greater than the "ngroups" parameter. This bug can cause segfaults in Samba 3.0. Version-Release number of selected component (if applicable): glibc-2.2.5-43 How reproducible: Always Steps to Reproduce: 1. Pass "getgroupslist" an "ngroups" count that is less than the number of groups and a "groups" buffer that is not large enough to hold the entire list of groups. Actual Results: The "getgroupslist" function will copy the entire list of groups to the buffer, overrunning the end of the buffer Expected Results: The "getgrouplist" buffer should only copy the number of groups specified in the "ngroups" parameter Additional info: The bug was corrected in revision 1.29 of "libc/grp/initgroups.c". However, this fix is not present in the current "glibc" release for Red Hat 7.3.
Comment 1 Matt Seitz 2003-08-05 13:35:53 EDT
Sorry, that should have said "getgrouplist", not "getgroupslist"
Comment 2 Matt Seitz 2003-08-05 13:41:34 EDT
Changed summarry to make searching easier: -Removed quotation marks from getgrouplist -Added initgroups.c
Comment 3 David Lawrence 2003-08-22 17:09:53 EDT
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2003-249.html
Comment 4 Matt Seitz 2003-09-10 10:58:41 EDT
The errata mentioned in Comment #3 does not include a fix for Red Hat 7.3, the version I am using. So that errata does not solve my problem.
Comment 5 Mark J. Cox (Product Security) 2003-10-30 05:39:47 EST
We're still working on this issue for RHL releases where upgrading glibc has some side effects.
Comment 6 Matt Seitz 2003-10-30 12:17:44 EST
Thank you for the update and continuing to work on this issue. Could the side effects be minimized by taking the existing glibc 2.2.5-43, adding the fix from "libc/grp/initgroups.c" rev. 1.29, and releasing a glibc 2.2.5-44?
Comment 7 Matt Seitz 2003-11-12 14:37:01 EST
I just saw that Red Hat has released a glibc 2.2.5-44 that claims to fix this problem. Thank you for following through on this.
Comment 8 Ulrich Drepper 2003-11-13 19:23:50 EST
We do not provide support for non-standard glibcs. If you want to do it you're on your own. No change which goes into an errata (especially for a release that old) is not needed. By leaving out changes you are doing something we don't regard as smart.
Comment 9 Matt Seitz 2003-11-17 19:28:31 EST
I'm sorry, I wasn't clear when I wrote comment #6. I did not want to compile my own "glibc". Rather, I was suggesting how Red Hat could release an errata for 7.3 with a minimum of changes. Red Hat has since released an official errata, RHSA-2003:325-10 (https://rhn.redhat.com/errata/RHSA-2003-325.html), which fixes the problem. I now use that version. I appreciate Red Hat releasing an official fix for 7.3 before it reaches End of Life.