Bug 761245 (CVE-2009-5029)

Summary: CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow
Product: [Other] Security Response Reporter: Ramon de C Valle <rcvalle>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arekm, bressers, dwalsh, fweimer, jakub, law, mfranc, mjc, moshiro, schwab
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard: impact=moderate,public=20090601,reported=20090601,source=internet,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,rhel-3/glibc=affected,rhel-3/compat-glibc=affected,rhel-4/glibc=affected,rhel-4/compat-glibc=affected,rhel-5/glibc=affected,rhel-5/compat-glibc=affected,rhel-6/glibc=affected,rhel-6/compat-glibc=affected,fedora-all/glibc=affected,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 09:41:49 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 716899, 767685, 767686, 767687, 767688, 767690, 767691, 767692, 767693, 767694, 767695, 767696, 769360    
Bug Blocks: 767564    

Description Ramon de C Valle 2011-12-07 17:06:21 EST
There exists a integer overflow to buffer overflow vulnerability within __tzfile_read function of the GNU C Library. This vulnerability was published by dividead early in 2009 in the following blog post:

http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/

In December 3, Kingcope, at Full Disclosure Mailing List, noted vsftpd as one possible attack vector for this issue:

http://lists.grok.org.uk/pipermail/full-disclosure/2011-December/084452.html
Comment 10 Ramon de C Valle 2011-12-13 11:29:25 EST
Exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd
http://rcvalle.com/post/14169476482/exploiting-glibc-tzfile-read-integer-overflow-to
Comment 13 Ramon de C Valle 2011-12-14 11:46:37 EST
Created glibc tracking bugs for this issue

Affects: fedora-all [bug 767696]
Comment 14 Ramon de C Valle 2011-12-15 09:23:49 EST
More on exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd
http://rcvalle.com/post/14261796328/more-on-exploiting-glibc-tzfile-read-integer-overflow
Comment 15 Jeff Law 2011-12-15 11:41:42 EST
So I'm just coming up to speed on this problem.  If I've read things correctly, the problem is the integer overflow if mr. badguy constructs a bogus tzfile.  The integer overflow is used to generate a "useful" size for the malloc call.  After that I'm a bit lost, though it may not matter.

ISTM we need to verify that the computation of total_size, tzspec_len don't overflow nor does total_size + tzspec_len + extra overflow.  If an overflow is detected it appears we can safely "goto lose".

Does that match your interpretation of the core issue and what needs to be changed to resolve it?  Having never worked with security errata before, are there restrictions on discussing it on the upstream mailing lists or with the upstream developers privately?
Comment 16 Ramon de C Valle 2011-12-15 13:13:04 EST
Hi Jeff,

There are a few more checks to be made beyond these. I recommend contacting the developers for an appropriate correction. Feel free to publicly discuss this issue on mailing-lists since it is public since earlier 2009.
Comment 17 Tomas Hoger 2011-12-16 06:14:06 EST
(In reply to comment #15)
> The integer overflow is used to generate a "useful" size for the malloc call. 
> After that I'm a bit lost, though it may not matter.

This is a common flaw pattern - an integer overflow / wrap around in the expression used to compute size passed to malloc results in an allocation of the buffer of the insufficient size.  Later processing, however, tries to write more data to the buffer, resulting in (heap-based) buffer overflow, i.e. possibly exploitable memory corruption.
Comment 20 Fedora Update System 2012-01-17 15:24:39 EST
glibc-2.14.1-5 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 errata-xmlrpc 2012-01-24 16:17:49 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0058 https://rhn.redhat.com/errata/RHSA-2012-0058.html
Comment 24 errata-xmlrpc 2012-02-13 15:35:17 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0126 https://rhn.redhat.com/errata/RHSA-2012-0126.html
Comment 25 errata-xmlrpc 2012-02-13 15:35:52 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html