Bug 769722 (CVE-2011-4620)

Summary: CVE-2011-4620 plib ulSetError() buffer overflow
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hdegoede, matthias, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20111220,reported=20111221,source=secunia,cvss2=4.1/AV:L/AC:M/Au:S/C:P/I:P/A:P,fedora-all/plib=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-02 21:43:45 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 771502    
Bug Blocks:    

Description Kurt Seifried 2011-12-21 17:05:05 EST
https://secunia.com/advisories/47297/
http://plib.sourceforge.net/index.html
http://www.exploit-db.com/exploits/18258/

From Secunia:

======================
*Description*
A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer.

Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function.

The vulnerability is confirmed in version 1.8.5. Other versions may also be affected.
====================== 

Was found via TORCS, see exploit-db for reproucer.
Comment 1 Hans de Goede 2011-12-29 10:03:10 EST
This is a simple case of a vsprintf overflowing a statically allocated buffer. I've done a build of plib for rawhide switching to vsnprintf.

I've not created updated builds for F-15 / F-16, since the overflow will be caught by FORTIFY_SOURCE (and plib is compiled with that), so this poses no
more thread then a DOS.

Let me know if the security team wants me to also issue fixed packages for F-15 and F-16.
Comment 2 Vincent Danen 2012-01-03 17:23:35 EST
If you could, yes.  I'll file trackers for it.  Even though it is just a DoS, we should correct it.
Comment 3 Vincent Danen 2012-01-03 17:24:20 EST
Created plib tracking bugs for this issue

Affects: fedora-all [bug 771502]
Comment 4 Fedora Update System 2012-01-15 14:56:24 EST
plib-1.8.5-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-01-15 15:00:56 EST
plib-1.8.5-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.