Bug 101691 - CAN-2003-0689 Buffer overrun in getgrouplist function in initgroups.c
Summary: CAN-2003-0689 Buffer overrun in getgrouplist function in initgroups.c
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc   
(Show other bugs)
Version: 7.3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL: http://sources.redhat.com/cgi-bin/cvs...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-08-05 16:30 UTC by Matt Seitz
Modified: 2016-11-24 15:24 UTC (History)
1 user (show)

Fixed In Version: 2.2.5-44
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-11-14 00:23:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:249 normal SHIPPED_LIVE Important: glibc security update 2003-08-22 04:00:00 UTC
Red Hat Product Errata RHSA-2003:325 normal SHIPPED_LIVE : Updated glibc packages provide security and bug fixes 2003-11-12 05:00:00 UTC

Description Matt Seitz 2003-08-05 16:30:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030708

Description of problem:
There is a buffer overrun bug in the "getgroupslist" function in
"libc/grp/initgroups.c".  The "getgrouplist" function always copies all the
groups returned by "internal_getgrouplist", even if this is greater than the
"ngroups" parameter.  This bug can cause segfaults in Samba 3.0.  

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Pass "getgroupslist" an "ngroups" count that is less than the number of
groups and a "groups" buffer that is not large enough to hold the entire list of

Actual Results:  The "getgroupslist" function will copy the entire list of
groups to the buffer, overrunning the end of the buffer 

Expected Results:  The "getgrouplist" buffer should only copy the number of
groups specified in the "ngroups" parameter

Additional info:

The bug was corrected in revision 1.29 of "libc/grp/initgroups.c".  However,
this fix is not present in the current "glibc" release for Red Hat 7.3.

Comment 1 Matt Seitz 2003-08-05 17:35:53 UTC
Sorry, that should have said "getgrouplist", not "getgroupslist"

Comment 2 Matt Seitz 2003-08-05 17:41:34 UTC
Changed summarry to make searching easier:
-Removed quotation marks from getgrouplist
-Added initgroups.c

Comment 3 David Lawrence 2003-08-22 21:09:53 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Comment 4 Matt Seitz 2003-09-10 14:58:41 UTC
The errata mentioned in Comment #3 does not include a fix for Red Hat 7.3, the
version I am using.  So that errata does not solve my problem.

Comment 5 Mark J. Cox 2003-10-30 10:39:47 UTC
We're still working on this issue for RHL releases where upgrading glibc has
some side effects.

Comment 6 Matt Seitz 2003-10-30 17:17:44 UTC
Thank you for the update and continuing to work on this issue.

Could the side effects be minimized by taking the existing glibc 2.2.5-43,
adding the fix from "libc/grp/initgroups.c" rev. 1.29, and releasing a glibc

Comment 7 Matt Seitz 2003-11-12 19:37:01 UTC
I just saw that Red Hat has released a glibc 2.2.5-44 that claims to
fix this problem.  Thank you for following through on this.

Comment 8 Ulrich Drepper 2003-11-14 00:23:50 UTC
We do not provide support for non-standard glibcs.  If you want to do
it you're on your own.  No change which goes into an errata
(especially for a release that old) is not needed.  By leaving out
changes you are doing something we don't regard as smart.

Comment 9 Matt Seitz 2003-11-18 00:28:31 UTC
I'm sorry, I wasn't clear when I wrote comment #6.  I did not want to
compile my own "glibc".  Rather, I was suggesting how Red Hat could
release an errata for 7.3 with a minimum of changes.

Red Hat has since released an official errata, RHSA-2003:325-10
(https://rhn.redhat.com/errata/RHSA-2003-325.html), which fixes the
problem.  I now use that version.  I appreciate Red Hat releasing an
official fix for 7.3 before it reaches End of Life. 

Note You need to log in before you can comment on or make changes to this bug.