Bug 2258913

Summary: CVE-2024-0684 coreutils: heap overflow in split --line-bytes with very long lines [fedora-all]
Product: [Fedora] Fedora Reporter: Pádraig Brady <p>
Component: coreutilsAssignee: Lukáš Zaoral <lzaoral>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 39CC: eggert, jim, kdudka, mcascell, security-response-team
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: coreutils-9.3-5.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-23 00:58:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2258948    

Description Pádraig Brady 2024-01-18 00:35:48 UTC 
Since coreutils 9.2 https://github.com/coreutils/coreutils/commit/40bf1591b
introduced a heap overflow issue, which can be triggered like:

    { printf '%131070s\n' ''; printf 'x\n'; printf '%131071s\n' ''; } > in
    split -C 131072 ---io=131072 in

That will dump core, but as with all heap overflows is a potential security issue.
I'll leave it up to you to determine whether a CVE is required.

There is already a patch upstream, but it's not flagged as a security issue,
in an abundance of caution, in case this issue in more security sensitive than first envisaged. The upstream patch is:
https://github.com/coreutils/coreutils/commit/c4c5ed8f4.patch
Comment 1 Lukáš Zaoral 2024-01-18 08:53:59 UTC 
Thank you for letting us know, Pádraig!
I have to wait for the Security Response Team to finish the analysis.  When the analysis is done, I'll backport your patch to F39 and newer ASAP.
Comment 2 Fedora Update System 2024-01-18 15:02:28 UTC 
FEDORA-2024-6b85e8848f has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-6b85e8848f
Comment 3 Lukáš Zaoral 2024-01-18 16:32:06 UTC 
FEDORA-2024-7e5ca38c70 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-7e5ca38c70
Comment 4 Fedora Update System 2024-01-19 18:04:13 UTC 
FEDORA-2024-6b85e8848f has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-6b85e8848f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-6b85e8848f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2024-01-23 00:58:31 UTC 
FEDORA-2024-6b85e8848f has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.