Bug 2024637 (CVE-2021-3999)

Summary: CVE-2021-3999 glibc: Off-by-one buffer overflow/underflow in getcwd()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aoliva, arjun.is, ashankar, bdettelb, caswilli, codonell, dhalasz, dj, fjansen, fweimer, ganandan, glibc-bugzilla, jburrell, jtanner, jwong, kaycoth, law, lnacshon, mcascell, mcermak, mfabian, micjohns, mnewsome, pfrankli, psegedy, rschiron, rth, security-response-team, sipoyare, sthirugn, tsasak, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-04 01:15:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2025929, 2025930, 2032279, 2032280, 2032281, 2039676    
Bug Blocks: 2024641    

Description Pedro Sampaio 2021-11-18 14:42:47 UTC 
A flaw was found in glibc. The getcwd() function is affected by an off-by-one buffer overflow and underflow that may lead to memory corruption when the size of the buffer is exactly 1 byte.
Comment 18 Mauro Matteo Cascella 2022-01-12 08:37:18 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 2039676]
Comment 22 Siddhesh Poyarekar 2022-01-12 13:45:02 UTC 
Filed upstream as: https://sourceware.org/bugzilla/show_bug.cgi?id=28769
Comment 26 Riccardo Schirone 2022-01-20 10:59:15 UTC 
I'm updating the CVSS from 8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H to 7.4/CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H . This changes the Attack Vector from Network (AV:N) to Local (AV:L), because it was wrongly set in the first place. The description of the flaw already mentioned "local attacker" but we forgot to reflect this knowledge in the CVSS.

Triggering this bug indeed requires the attacker to be able to alter the current working directory of a process and configure its environment in specific ways that only a local user could do in reasonable scenarios.
Comment 27 Riccardo Schirone 2022-01-20 11:18:21 UTC 
This flaw can be triggered only when the following conditions are respected:
- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory (e.g. through a mount namespace)
Comment 28 Mauro Matteo Cascella 2022-01-24 14:38:00 UTC 
Upstream commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
Comment 30 errata-xmlrpc 2022-03-15 10:21:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0896 https://access.redhat.com/errata/RHSA-2022:0896
Comment 31 Product Security DevOps Team 2022-05-04 01:15:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3999