Bug 1921916 (CVE-2021-3326)
Summary: | CVE-2021-3326 glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | arjun.is, ashankar, bdettelb, codonell, dj, fweimer, glibc-bugzilla, kaycoth, mfabian, mnewsome, pfrankli, sipoyare, tomckay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | glibc 2.33 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in glibc's iconv() functionality. This flaw allows an attacker capable of supplying a crafted sequence of characters to an application using iconv() to convert from ISO-2022-JP-3 to cause an assertion failure. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 14:38:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1925091, 1925093, 1921917, 1924919, 1924920, 1925088, 1925089, 1925090, 1925092, 1968676, 1968677, 1968678 | ||
Bug Blocks: | 1921918 |
Description
Pedro Sampaio
2021-01-28 20:47:06 UTC
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1921917] Flaw technical summary: glibc's iconv() function, when converting from ISO-2022-JP-3 ( which would have a conversion descriptor allocated by a call to e.g. `iconv_open ("UTF-8", "ISO-2022-JP-3")` ), can trigger an assertion failure in the form: `../iconv/skeleton.c:746: gconv: Assertion `outbuf == outerr' failed.` when processing a specific character sequence. Thus, any application which relies upon glibc's inconv() function and which uses the aforementioned encodings, could be susceptible to a denial of service if it processes the sequence, potentially provided by an attacker. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Statement: Exploitation of this flaw would cause the application to halt execution. It relies on processing untrusted input in the ISO-2022-JP-3 encoding or ISO-2022-JP-3 being used as a MIME charset in applications using iconv. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1585 https://access.redhat.com/errata/RHSA-2021:1585 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3326 |