Bug 1545824

Summary: iniparser: stack-buffer-underflow in iniparser_load in iniparser.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: asn, extras-orphan, jaromir.capik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: iniparser 4.1 Doc Type: If docs needed, set a value
Doc Text:
A stack buffer underflow was found in the way iniparser handled processing of INI files. An attacker could potentially use this flaw to crash an application using iniparser under specific circumstances by tricking it into processing crafted INI files.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:40:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1545825, 1553577    
Bug Blocks: 1545833    

Description Laura Pardo 2018-02-15 15:54:18 UTC 
A flaw was found in iniparser version prior to 4.1. A stack buffer underflow in the function iniparser_load() in iniparser.c file which can be triggered by parsing a file that containing a zero-byte. This vulnerability may allow an attacker to cause a Denial of Service (DoS).

References:

https://github.com/ndevilla/iniparser/issues/68

Patch:

https://github.com/ndevilla/iniparser/commit/4f870752abbb756911d7b11405d49e9769d082bd
Comment 1 Laura Pardo 2018-02-15 15:54:55 UTC 
Created iniparser tracking bugs for this issue:

Affects: fedora-all [bug 1545825]