Bug 2167666 (CVE-2023-25139)

Summary: CVE-2023-25139 glibc: incorrect printf output for integers with thousands separator and width field
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acrosby, adudiak, aoconnor, ashankar, bdettelb, caswilli, codonell, dffrench, dfreiber, dhalasz, dj, dkuc, drieden, fjansen, fweimer, ggastald, glibc-bugzilla, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jkoehler, jmitchel, jsherril, jtanner, kaycoth, kshier, micjohns, mnewsome, ngough, nweather, oezr, pfrankli, psegedy, rgodfrey, rogbas, rravi, sbiarozk, security-response-team, sipoyare, stcannon, sthirugn, tcarlin, tfister, tkasparek, tohughes, tsasak, vkrizan, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in glibc. When the printf family of functions is called with a format specifier that uses an apostrophe (enable grouping) and a minimum width specifier, the resulting output could be larger than reasonably expected by a caller that computed a tight bound on the buffer size. The resulting larger-than-expected output could result in a buffer overflow in the printf family of functions.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-11 13:10:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2167667, 2167668, 2167669, 2167955, 2167956    
Bug Blocks: 2166922    

Description Sandipan Roy 2023-02-07 08:52:38 UTC
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=30068

Comment 1 Sandipan Roy 2023-02-07 08:55:08 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-36 [bug 2167667]
Affects: fedora-37 [bug 2167669]


Created zig tracking bugs for this issue:

Affects: fedora-36 [bug 2167668]

Comment 2 Siddhesh Poyarekar 2023-02-07 13:51:22 UTC
(In reply to Sandipan Roy from comment #1)
> Created glibc tracking bugs for this issue:
> 
> Affects: fedora-36 [bug 2167667]
> Affects: fedora-37 [bug 2167669]
> 
> 
> Created zig tracking bugs for this issue:
> 
> Affects: fedora-36 [bug 2167668]

Please create a rawhide tracker for this.  This only affects glibc 2.37, which is only in rawhide.

Comment 3 Guilherme de Almeida Suckevicz 2023-02-07 19:17:59 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-rawhide [bug 2167955]


Created zig tracking bugs for this issue:

Affects: fedora-rawhide [bug 2167956]

Comment 4 Carlos O'Donell 2023-02-07 20:27:45 UTC
Fedora Rawhide glibc is fixed with glibc-2.37-1.fc38
https://bodhi.fedoraproject.org/updates/FEDORA-2023-da6855d11c

Comment 9 Product Security DevOps Team 2023-02-11 13:10:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-25139