Bug 1192525 – CVE-2015-8982 glibc: multiple overflows in strxfrm()

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1192525 - (CVE-2015-8982) CVE-2015-8982 glibc: multiple overflows in strxfrm()

Summary:	CVE-2015-8982 glibc: multiple overflows in strxfrm()

Status:	CLOSED DEFERRED

Aliases:	CVE-2015-8982

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20150213,reported=2...
Keywords:	Security

Depends On:	1192527
Blocks:	1187112 1192526
	Show dependency tree / graph

Reported:	2015-02-13 10:50 EST by Vasyl Kaigorodov
Modified:	2017-11-08 04:37 EST (History)
CC List:	10 users (show)

See Also:
Fixed In Version:	glibc 2.21
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-11-24 03:29:24 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
strxfrm-alloca.c (407 bytes, text/plain) 2015-02-13 10:52 EST, Vasyl Kaigorodov	no flags	Details
strxfrm-int32.c (335 bytes, text/plain) 2015-02-13 10:52 EST, Vasyl Kaigorodov	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Sourceware	16009	None	None	None	Never

Groups: None (edit)

Description Vasyl Kaigorodov 2015-02-13 10:50:53 EST

Integer overflow when computing memory allocation sizes (similar to CVE-2012-4412) was reported [1] in glibc strxfrm() function. Attached strxfrm-int32.c should trigger this issue on a 32-bit systems.
Additionally, it was discovered [1] that strxfrm() falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424). Attached strxfrm-alloca.c should trigger this issue.

Upstream commit that fixes all issues:
http://seclists.org/oss-sec/2015/q1/540

[1]: http://seclists.org/oss-sec/2015/q1/540

Comment 1 Vasyl Kaigorodov 2015-02-13 10:52:12 EST

Created attachment 991416 [details]
strxfrm-alloca.c

Comment 2 Vasyl Kaigorodov 2015-02-13 10:52:26 EST

Created attachment 991417 [details]
strxfrm-int32.c

Comment 3 Vasyl Kaigorodov 2015-02-13 10:53:28 EST

Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1192527]

Comment 4 Florian Weimer 2015-02-25 04:20:39 EST

Actual upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=0f9e585480ed

One of the integer overflows (or a precursor to it) was introduced into strxfm in this commit:

commit 450bf66ef223ad83e7032920652445817865770b
Author: Ulrich Drepper <drepper@redhat.com>
Date:   Sat Dec 25 23:41:39 1999 +0000
…
        * string/strxfrm.c: Complete rewrite for new collate implementation.

strxfrm is not widely used (although it is referenced by Firefox and PostgreSQL), use of strxfrm_l is even rarer.

Comment 5 Huzaifa S. Sidhpurwala 2015-09-08 03:24:28 EDT

CVE request via:

http://openwall.com/lists/oss-security/2015/09/08/2

Comment 7 Andrej Nemec 2017-02-15 04:12:53 EST

CVE assignment:

http://seclists.org/oss-sec/2017/q1/437

Note You need to log in before you can comment on or make changes to this bug.