Red Hat Bugzilla – Bug 101691
CAN-2003-0689 Buffer overrun in getgrouplist function in initgroups.c
Last modified: 2007-04-18 12:56:39 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030708
Description of problem:
There is a buffer overrun bug in the "getgroupslist" function in
"libc/grp/initgroups.c". The "getgrouplist" function always copies all the
groups returned by "internal_getgrouplist", even if this is greater than the
"ngroups" parameter. This bug can cause segfaults in Samba 3.0.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Pass "getgroupslist" an "ngroups" count that is less than the number of
groups and a "groups" buffer that is not large enough to hold the entire list of
Actual Results: The "getgroupslist" function will copy the entire list of
groups to the buffer, overrunning the end of the buffer
Expected Results: The "getgrouplist" buffer should only copy the number of
groups specified in the "ngroups" parameter
The bug was corrected in revision 1.29 of "libc/grp/initgroups.c". However,
this fix is not present in the current "glibc" release for Red Hat 7.3.
Sorry, that should have said "getgrouplist", not "getgroupslist"
Changed summarry to make searching easier:
-Removed quotation marks from getgrouplist
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.
The errata mentioned in Comment #3 does not include a fix for Red Hat 7.3, the
version I am using. So that errata does not solve my problem.
We're still working on this issue for RHL releases where upgrading glibc has
some side effects.
Thank you for the update and continuing to work on this issue.
Could the side effects be minimized by taking the existing glibc 2.2.5-43,
adding the fix from "libc/grp/initgroups.c" rev. 1.29, and releasing a glibc
I just saw that Red Hat has released a glibc 2.2.5-44 that claims to
fix this problem. Thank you for following through on this.
We do not provide support for non-standard glibcs. If you want to do
it you're on your own. No change which goes into an errata
(especially for a release that old) is not needed. By leaving out
changes you are doing something we don't regard as smart.
I'm sorry, I wasn't clear when I wrote comment #6. I did not want to
compile my own "glibc". Rather, I was suggesting how Red Hat could
release an errata for 7.3 with a minimum of changes.
Red Hat has since released an official errata, RHSA-2003:325-10
(https://rhn.redhat.com/errata/RHSA-2003-325.html), which fixes the
problem. I now use that version. I appreciate Red Hat releasing an
official fix for 7.3 before it reaches End of Life.