Bug 1192525 (CVE-2015-8982)

Summary: CVE-2015-8982 glibc: multiple overflows in strxfrm()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DEFERRED QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: arjun.is, ashankar, codonell, fweimer, jakub, jrusnack, law, mnewsome, pfrankli, sardella
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glibc 2.21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-24 08:29:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1192527    
Bug Blocks: 1187112, 1192526    
Attachments:
Description Flags
strxfrm-alloca.c
none
strxfrm-int32.c none

Description Vasyl Kaigorodov 2015-02-13 15:50:53 UTC 
Integer overflow when computing memory allocation sizes (similar to CVE-2012-4412) was reported [1] in glibc strxfrm() function. Attached strxfrm-int32.c should trigger this issue on a 32-bit systems.
Additionally, it was discovered [1] that strxfrm() falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424). Attached strxfrm-alloca.c should trigger this issue.

Upstream commit that fixes all issues:
http://seclists.org/oss-sec/2015/q1/540

[1]: http://seclists.org/oss-sec/2015/q1/540
Comment 1 Vasyl Kaigorodov 2015-02-13 15:52:12 UTC 
Created attachment 991416 [details]
strxfrm-alloca.c
Comment 2 Vasyl Kaigorodov 2015-02-13 15:52:26 UTC 
Created attachment 991417 [details]
strxfrm-int32.c
Comment 3 Vasyl Kaigorodov 2015-02-13 15:53:28 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1192527]
Comment 4 Florian Weimer 2015-02-25 09:20:39 UTC 
Actual upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=0f9e585480ed

One of the integer overflows (or a precursor to it) was introduced into strxfm in this commit:

commit 450bf66ef223ad83e7032920652445817865770b
Author: Ulrich Drepper <drepper>
Date:   Sat Dec 25 23:41:39 1999 +0000
…
        * string/strxfrm.c: Complete rewrite for new collate implementation.

strxfrm is not widely used (although it is referenced by Firefox and PostgreSQL), use of strxfrm_l is even rarer.
Comment 5 Huzaifa S. Sidhpurwala 2015-09-08 07:24:28 UTC 
CVE request via:

http://openwall.com/lists/oss-security/2015/09/08/2
Comment 7 Andrej Nemec 2017-02-15 09:12:53 UTC 
CVE assignment:

http://seclists.org/oss-sec/2017/q1/437