Bug 2139327 (CVE-2022-3821)

Summary: CVE-2022-3821 systemd: buffer overrun in format_timespan() function
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, bdettelb, bgalvani, caswilli, dffrench, dhalasz, dkuc, fjansen, gzaronik, hbraun, jburrell, jkoehler, jwong, jwon, kaycoth, kshier, kyoshida, lnykryn, lpoetter, lrintel, micjohns, msekleta, ngough, nm-team, psegedy, rgodfrey, rkhan, security-response-team, stcannon, sthirugn, sukulkar, systemd-maint-list, systemd-maint, tcarlin, tfister, till, tmeszaro, tsasak, vkrizan, vkumar, vmugicag, zjedrzej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: systemd 251-stable, systemd 252-rc1 Doc Type: If docs needed, set a value
Doc Text:
An off-by-one error flaw was found in systemd in the format_timespan() function of time-util.c. This flaw allows an attacker to supply specific values for time and accuracy, leading to a buffer overrun in format_timespan(), leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-25 14:22:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2139355, 2139388, 2139389, 2139390, 2139391, 2139392, 2142954    
Bug Blocks: 2137787, 2140981    

Description TEJ RATHI 2022-11-02 07:54:19 UTC 
Systemd: The format_timespan function in time-util.c triggers buffer overrun with crafted time values. Supplying specific values for time and accuracy leads to buffer overrun in format_timespan, leading to Denial of Service.

References:
https://github.com/systemd/systemd/issues/23928
https://github.com/systemd/systemd/pull/23933
https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e
Comment 1 TEJ RATHI 2022-11-02 09:44:37 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 2139355]
Comment 9 juneau 2022-11-15 16:03:49 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 2142954]
Comment 14 errata-xmlrpc 2023-01-12 09:19:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0100 https://access.redhat.com/errata/RHSA-2023:0100
Comment 15 errata-xmlrpc 2023-01-23 15:21:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0336 https://access.redhat.com/errata/RHSA-2023:0336
Comment 16 Product Security DevOps Team 2023-01-25 14:22:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3821
Comment 21 errata-xmlrpc 2024-03-05 16:18:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1105 https://access.redhat.com/errata/RHSA-2024:1105