Bug 1895379 (CVE-2020-28241)
Summary: | CVE-2020-28241 libmaxminddb: improper initialization in dump_entry_data_list() in maxminddb.c | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | igor.raits, jtfas90, jv+fedora, mruprich, ollie.yeoh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libmaxminddb 1.4.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
An improper initialization issue was found in libmaxminddb. A remote user could exploit this flaw by sending a specially crafted MaxMind DB file that, when parsed by an application linked to libmaxminddb, would possibly crash the application, resulting in a denial of service condition.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 11:00:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1895380, 1895381, 1900503, 1900504, 1910599 | ||
Bug Blocks: | 1895382 |
Description
Guilherme de Almeida Suckevicz
2020-11-06 14:31:03 UTC
Created libmaxminddb tracking bugs for this issue: Affects: epel-all [bug 1895381] Affects: fedora-all [bug 1895380] In case of NULL size, bytes_to_hex() allocates a heap chunk via malloc() without proper initialization. The pointer to this chunk (hex_string) is later passed as argument to fprintf, resulting in undefined behavior (possibly leading to crash, or unlikely heap buffer overflow). The upstream fix replaces malloc() with calloc(), thus always initializing memory regardless of whether the for loop in bytes_to_hex() is entered or not. --- src/maxminddb.c LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size) { char *hex_string; ... hex_string = malloc((size * 2) + 1); ... for (uint32_t i = 0; i < size; i++) { sprintf(hex_string + (2 * i), "%02X", bytes[i]); } return hex_string; } LOCAL MMDB_entry_data_list_s *dump_entry_data_list(...) { ... case MMDB_DATA_TYPE_BYTES: { char *hex_string = bytes_to_hex((uint8_t *)entry_data_list->entry_data.bytes, entry_data_list->entry_data.data_size); ... fprintf(stream, "%s <bytes>\n", hex_string); } ... } This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0750 https://access.redhat.com/errata/RHSA-2024:0750 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0751 https://access.redhat.com/errata/RHSA-2024:0751 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0768 https://access.redhat.com/errata/RHSA-2024:0768 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:1686 https://access.redhat.com/errata/RHSA-2024:1686 |