Bug 1135841 (CVE-2014-6040)

Summary: CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ashankar, chazlett, codonell, fweimer, hannsj_uhl, huzaifas, jakub, jrusnack, law, pfrankli, sardella, spoyarek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-06 10:34:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1127381, 1135842, 1139571, 1140474, 1172044    
Bug Blocks: 1121513, 1135843, 1157695    

Description Murray McAllister 2014-09-01 02:28:05 UTC
Crashes were reported in the IBM code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364):

https://sourceware.org/bugzilla/show_bug.cgi?id=17325
https://sourceware.org/ml/libc-alpha/2014-08/msg00473.html

Florian Weimer noted:

"These crashers are out-of-bounds reads at a fixed offset relative to the data segment of a DSO, and in all cases I've seen, they were right in the middle of an unmapped segment of the same DSO. This means that these bugs are just crashers, but they can still result in denial-of-service conditions."

Reference:

http://seclists.org/oss-sec/2014/q3/466

Comment 1 Murray McAllister 2014-09-01 02:28:52 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1135842]

Comment 2 Murray McAllister 2014-09-02 06:02:01 UTC
MITRE assigned CVE-2014-6040 to these issues:

http://www.openwall.com/lists/oss-security/2014/09/02/1

Comment 4 Florian Weimer 2014-09-04 18:10:51 UTC
Possible mitigation: Remove the DSOs with the affected gconv modules if they are not needed:

/usr/lib/gconv/IBM932.so
/usr/lib/gconv/IBM933.so
/usr/lib/gconv/IBM935.so
/usr/lib/gconv/IBM937.so
/usr/lib/gconv/IBM939.so
/usr/lib/gconv/IBM1364.so
/usr/lib/gconv/IBM1371.so
/usr/lib/gconv/IBM1388.so
/usr/lib/gconv/IBM1390.so
/usr/lib/gconv/IBM1399.so

/usr/lib64/gconv/IBM932.so
/usr/lib64/gconv/IBM933.so
/usr/lib64/gconv/IBM935.so
/usr/lib64/gconv/IBM937.so
/usr/lib64/gconv/IBM939.so
/usr/lib64/gconv/IBM1364.so
/usr/lib64/gconv/IBM1371.so
/usr/lib64/gconv/IBM1388.so
/usr/lib64/gconv/IBM1390.so
/usr/lib64/gconv/IBM1399.so

IBM930 is not affected (see https://bugzilla.redhat.com/show_bug.cgi?id=1135840).

Comment 7 Florian Weimer 2014-11-14 13:26:28 UTC
Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=41488498b6

Comment 8 Huzaifa S. Sidhpurwala 2014-11-27 05:19:46 UTC
Statement:

This issue affects the version of glibc package as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata

Comment 14 errata-xmlrpc 2015-01-07 17:18:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0016 https://rhn.redhat.com/errata/RHSA-2015-0016.html

Comment 15 Fedora Update System 2015-03-04 10:25:25 UTC
glibc-2.18-19.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2015-03-05 07:18:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0327 https://rhn.redhat.com/errata/RHSA-2015-0327.html