Bug 1635896 (CVE-2018-17942)
| Summary: | CVE-2018-17942 gnulib: heap-based buffer overflow in convert_to_decimal function in vasnprintf.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Mosaab Alzoubi <moceap> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | abhgupta, admiller, berrange, dbaker, eblake, jamartis, jarodwilson, jdenemar, jokerman, jsuchane, kdudka, knoel, kzak, libvirt-maint, moceap, ooprala, ovasik, p, pkrempa, rbalakri, sebastian.kisela, sisharma, sthangav, than, trankin, twaugh, vbellur, zbyszek |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | gnulib-0-31.20200107git.fc32 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-01-10 23:32:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1635897, 1635898, 1635899, 1635900, 1638198, 1639770 | ||
| Bug Blocks: | 1635901 | ||
|
Description
Laura Pardo
2018-10-03 20:56:56 UTC
Created coreutils tracking bugs for this issue: Affects: fedora-all [bug 1635899] Created gnulib tracking bugs for this issue: Affects: epel-7 [bug 1635898] Affects: fedora-all [bug 1635897] convert_to_decimal function in vasnprintf.c is compiled and used only when either NEED_PRINTF_LONG_DOUBLE or NEED_PRINTF_DOUBLE macros are defined at compilation time. Components that use Gnulib use m4 files to check whether those macros are necessary. Those macros are defined in m4/vasnprintf.m4 only if the system *printf functions do not: 1) support long doubles 2) support large precisions 3) recover gracefully in case of an out-of-memory condition. glibc does supports all of the above things, thus the macros are not defined and the system functions are used to deal with float/double numbers. The vulnerable code in convert_to_decimal function is not compiled in RHEL packages and they are not vulnerable to this flaw. Many components embed gnulib and the vulnerable function, however as explained in comment 6 the convert_to_decimal function is compiled only on systems that do not use glibc, according to the default m4 configuration file. All components that have been found to embed gnulib: gettext, enscript, libunistring, sharutils, m17n-lib, m4, xchat, hunspell, icoutils, netcf, cpio, amanda, bison, gcc, glib2, gnutls, openscap, tar, vorbis-tools, diffutils, guile, libpipeline, rcs, grep, gzip, hivex, supermin, patch, augeas, coreutils, findutils, grub2, lftp, libvirt, man-db, wget. The configuration files that enable/disable the use of double formats in printf-like functions (and the use of the vulnerable function) have been manually analyzed in the following components: gettext, grub2, gzip, tar, wget, libvirt, enscript, cpio, gcc. the embed gnulib in patch is effected. I have built new patch with the fix in rawhide. https://koji.fedoraproject.org/koji/taskinfo?taskID=31129818 (In reply to Riccardo Schirone from comment #7) > The configuration files that enable/disable the use of double formats in > printf-like functions (and the use of the vulnerable function) have been > manually analyzed in the following components: gettext, grub2, gzip, tar, > wget, libvirt, enscript, cpio, gcc. NB, the places where libvirt uses the buggy code are not security sensitive, so from libvirt's POV this is just a normal bug, not a security flaw. |