Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-0864 glibc: FORTIFY_SOURCE format string protection bypass via "nargs" integer overflow|
|Product:||[Other] Security Response||Reporter:||Stefan Cornelius <scorneli>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||fweimer, jakub, law, lersek, mfranc, schwab|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-03-20 05:16:57 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||794797, 794813, 794814, 794815, 794817|
Description Stefan Cornelius 2012-02-17 10:11:58 EST
In the Phrack article "A Eulogy for Format Strings", a researcher using nickname "Captain Planet" reported an integer overflow flaw in the format string protection mechanism offered by FORTIFY_SOURCE. A remote attacker could provide a specially crafted executable, leading to FORTIFY_SOURCE format string protection mechanism bypass, when executed. References: http://www.phrack.org/issues.html?issue=67&id=9#article Upstream bug and Kees Cook's proposed patches: http://sourceware.org/bugzilla/show_bug.cgi?id=13656 http://sourceware.org/ml/libc-alpha/2012-02/msg00023.html http://sourceware.org/ml/libc-alpha/2012-02/msg00012.html http://sourceware.org/ml/libc-alpha/2012-02/msg00073.html
Comment 1 Stefan Cornelius 2012-02-17 10:48:02 EST
*** Bug 794763 has been marked as a duplicate of this bug. ***
Comment 2 Stefan Cornelius 2012-02-17 10:52:56 EST
A CVE identifier of CVE-2012-0864 has been assigned to this issue.
Comment 3 Jeff Law 2012-02-17 11:31:49 EST
Presumably you're going to create the appropriate RHEL & Fedora bugs to track this issue? It looks like Kees posted an updated patch yesterday; I haven't seen any replies to that submission yet. http://cygwin.com/ml/libc-alpha/2012-02/msg00328.html
Comment 4 Stefan Cornelius 2012-02-17 11:47:33 EST
This issue affects the version of the glibc package, as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the version of the glibc package, as shipped with Fedora release of 15 and 16. The child bugs for affected versions will follow shortly.
Comment 5 Stefan Cornelius 2012-02-17 11:57:32 EST
Created glibc tracking bugs for this issue Affects: fedora-all [bug 794797]
Comment 8 Laszlo Ersek 2012-03-01 06:44:32 EST
(Learned about this on LWN today.) (In reply to comment #3) > It looks like Kees posted an updated patch yesterday; I haven't seen any > replies to that submission yet. > > http://cygwin.com/ml/libc-alpha/2012-02/msg00328.html The easiest fix would have been to restrict "nargs" to NL_ARGMAX. http://www.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html#tag_13_23_03_07 $ cat /etc/redhat-release Red Hat Enterprise Linux Workstation release 6.2 (Santiago) $ getconf NL_ARGMAX 4096 I guess with the patch that went in an attacker could still force an allocation attempt of eg. 1.5 GB on the heap. I think it's plain unreasonable to allow that. 4096 numbered arguments should be enough for anyone (TM), including field width, precision, and "normal data" args.
Comment 9 Tomas Hoger 2012-03-05 04:53:17 EST
Fix committed upstream in: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=7c1f4834d398163d1ac8101e35e9c36fc3176e6e Followed by a correction patch that sets errno correctly in case of the failure: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fa0355175d60ccf610c98f2345504603d3b8ea57 Related discussion starts at: http://sourceware.org/ml/libc-alpha/2012-03/msg00053.html
Comment 10 Jeff Law 2012-03-05 12:02:28 EST
Yea saw it this morning. The setting of errno is fairly minor; I've pulled that into our 6.3 tree and will pull it into our 5.9 tree shortly. I don't think it's worth respinning 5.8-z or 6.2-z just to pick up those two errno settings.
Comment 12 Tomas Hoger 2012-03-06 06:01:50 EST
(In reply to comment #8) > The easiest fix would have been to restrict "nargs" to NL_ARGMAX. Bounced your proposal to libc-alpha: http://sourceware.org/ml/libc-alpha/2012-03/msg00101.html Upstream preference is to only limit by the available memory, rather than using any other arbitrary limit.
Comment 13 errata-xmlrpc 2012-03-15 12:38:06 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0393 https://rhn.redhat.com/errata/RHSA-2012-0393.html
Comment 14 errata-xmlrpc 2012-03-19 17:57:41 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0397 https://rhn.redhat.com/errata/RHSA-2012-0397.html
Comment 15 Tomas Hoger 2012-03-20 05:16:57 EDT
Comment 16 errata-xmlrpc 2012-04-17 13:54:01 EDT
This issue has been addressed in following products: RHEV-H, V2V and Agents for RHEL-5 Via RHSA-2012:0488 https://rhn.redhat.com/errata/RHSA-2012-0488.html