Bug 2024637 (CVE-2021-3999)
Summary: | CVE-2021-3999 glibc: Off-by-one buffer overflow/underflow in getcwd() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aoliva, arjun.is, ashankar, bdettelb, caswilli, codonell, dhalasz, dj, fjansen, fweimer, ganandan, glibc-bugzilla, jburrell, jtanner, jwong, kaycoth, law, lnacshon, mcascell, mcermak, mfabian, micjohns, mnewsome, pfrankli, psegedy, rschiron, rth, security-response-team, sipoyare, sthirugn, tsasak, vkrizan, vkumar, vmugicag |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-04 01:15:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2025929, 2025930, 2032279, 2032280, 2032281, 2039676 | ||
Bug Blocks: | 2024641 |
Description
Pedro Sampaio
2021-11-18 14:42:47 UTC
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 2039676] Filed upstream as: https://sourceware.org/bugzilla/show_bug.cgi?id=28769 I'm updating the CVSS from 8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H to 7.4/CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H . This changes the Attack Vector from Network (AV:N) to Local (AV:L), because it was wrongly set in the first place. The description of the flaw already mentioned "local attacker" but we forgot to reflect this knowledge in the CVSS. Triggering this bug indeed requires the attacker to be able to alter the current working directory of a process and configure its environment in specific ways that only a local user could do in reasonable scenarios. This flaw can be triggered only when the following conditions are respected: - The buffer size (i.e. the second argument of getcwd) is 1 byte - The current working directory is too long - '/' is also mounted on the current working directory (e.g. through a mount namespace) Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0896 https://access.redhat.com/errata/RHSA-2022:0896 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3999 |