Bug 101691 - CAN-2003-0689 Buffer overrun in getgrouplist function in initgroups.c
CAN-2003-0689 Buffer overrun in getgrouplist function in initgroups.c
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
http://sources.redhat.com/cgi-bin/cvs...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-05 12:30 EDT by Matt Seitz
Modified: 2016-11-24 10:24 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.2.5-44
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-11-13 19:23:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matt Seitz 2003-08-05 12:30:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030708

Description of problem:
There is a buffer overrun bug in the "getgroupslist" function in
"libc/grp/initgroups.c".  The "getgrouplist" function always copies all the
groups returned by "internal_getgrouplist", even if this is greater than the
"ngroups" parameter.  This bug can cause segfaults in Samba 3.0.  


Version-Release number of selected component (if applicable):
glibc-2.2.5-43

How reproducible:
Always

Steps to Reproduce:
1.  Pass "getgroupslist" an "ngroups" count that is less than the number of
groups and a "groups" buffer that is not large enough to hold the entire list of
groups. 
    

Actual Results:  The "getgroupslist" function will copy the entire list of
groups to the buffer, overrunning the end of the buffer 

Expected Results:  The "getgrouplist" buffer should only copy the number of
groups specified in the "ngroups" parameter

Additional info:

The bug was corrected in revision 1.29 of "libc/grp/initgroups.c".  However,
this fix is not present in the current "glibc" release for Red Hat 7.3.
Comment 1 Matt Seitz 2003-08-05 13:35:53 EDT
Sorry, that should have said "getgrouplist", not "getgroupslist"
Comment 2 Matt Seitz 2003-08-05 13:41:34 EDT
Changed summarry to make searching easier:
-Removed quotation marks from getgrouplist
-Added initgroups.c
Comment 3 David Lawrence 2003-08-22 17:09:53 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-249.html
Comment 4 Matt Seitz 2003-09-10 10:58:41 EDT
The errata mentioned in Comment #3 does not include a fix for Red Hat 7.3, the
version I am using.  So that errata does not solve my problem.
Comment 5 Mark J. Cox (Product Security) 2003-10-30 05:39:47 EST
We're still working on this issue for RHL releases where upgrading glibc has
some side effects.
Comment 6 Matt Seitz 2003-10-30 12:17:44 EST
Thank you for the update and continuing to work on this issue.

Could the side effects be minimized by taking the existing glibc 2.2.5-43,
adding the fix from "libc/grp/initgroups.c" rev. 1.29, and releasing a glibc
2.2.5-44?  
Comment 7 Matt Seitz 2003-11-12 14:37:01 EST
I just saw that Red Hat has released a glibc 2.2.5-44 that claims to
fix this problem.  Thank you for following through on this.
Comment 8 Ulrich Drepper 2003-11-13 19:23:50 EST
We do not provide support for non-standard glibcs.  If you want to do
it you're on your own.  No change which goes into an errata
(especially for a release that old) is not needed.  By leaving out
changes you are doing something we don't regard as smart.
Comment 9 Matt Seitz 2003-11-17 19:28:31 EST
I'm sorry, I wasn't clear when I wrote comment #6.  I did not want to
compile my own "glibc".  Rather, I was suggesting how Red Hat could
release an errata for 7.3 with a minimum of changes.

Red Hat has since released an official errata, RHSA-2003:325-10
(https://rhn.redhat.com/errata/RHSA-2003-325.html), which fixes the
problem.  I now use that version.  I appreciate Red Hat releasing an
official fix for 7.3 before it reaches End of Life. 

Note You need to log in before you can comment on or make changes to this bug.