Bug 1895379 (CVE-2020-28241)

Summary: CVE-2020-28241 libmaxminddb: improper initialization in dump_entry_data_list() in maxminddb.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: igor.raits, jtfas90, jv+fedora, mruprich, ollie.yeoh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libmaxminddb 1.4.3 Doc Type: If docs needed, set a value
Doc Text:
An improper initialization issue was found in libmaxminddb. A remote user could exploit this flaw by sending a specially crafted MaxMind DB file that, when parsed by an application linked to libmaxminddb, would possibly crash the application, resulting in a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 11:00:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1895380, 1895381, 1900503, 1900504, 1910599    
Bug Blocks: 1895382    

Description Guilherme de Almeida Suckevicz 2020-11-06 14:31:03 UTC 
libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c.

Reference:
https://github.com/maxmind/libmaxminddb/issues/236

Upstream patch:
https://github.com/maxmind/libmaxminddb/pull/237
Comment 1 Guilherme de Almeida Suckevicz 2020-11-06 14:31:24 UTC 
Created libmaxminddb tracking bugs for this issue:

Affects: epel-all [bug 1895381]
Affects: fedora-all [bug 1895380]
Comment 3 Mauro Matteo Cascella 2020-11-23 09:36:01 UTC 
In case of NULL size, bytes_to_hex() allocates a heap chunk via malloc() without proper initialization. The pointer to this chunk (hex_string) is later passed as argument to fprintf, resulting in undefined behavior (possibly leading to crash, or unlikely heap buffer overflow). The upstream fix replaces malloc() with calloc(), thus always initializing memory regardless of whether the for loop in bytes_to_hex() is entered or not.

--- src/maxminddb.c
LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size)
{
    char *hex_string;
    ...
    hex_string = malloc((size * 2) + 1);
    ...
    for (uint32_t i = 0; i < size; i++) {
        sprintf(hex_string + (2 * i), "%02X", bytes[i]);
    }
    return hex_string;
}

LOCAL MMDB_entry_data_list_s *dump_entry_data_list(...)
{
    ...
    case MMDB_DATA_TYPE_BYTES:
    {
        char *hex_string = bytes_to_hex((uint8_t *)entry_data_list->entry_data.bytes, 
                                        entry_data_list->entry_data.data_size);
        ...
        fprintf(stream, "%s <bytes>\n", hex_string);
    }
    ...
}
Comment 8 errata-xmlrpc 2024-02-08 18:04:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0750 https://access.redhat.com/errata/RHSA-2024:0750
Comment 9 errata-xmlrpc 2024-02-08 18:04:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0751 https://access.redhat.com/errata/RHSA-2024:0751
Comment 10 errata-xmlrpc 2024-02-12 00:26:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0768 https://access.redhat.com/errata/RHSA-2024:0768
Comment 11 errata-xmlrpc 2024-04-04 21:33:06 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:1686 https://access.redhat.com/errata/RHSA-2024:1686