Red Hat Bugzilla – Bug 1437147
Fix for thread cancellation of IdM functions incorrect in rhel-6.9.
Last modified: 2018-06-19 01:15:08 EDT
The fix for bug 1012343: https://bugzilla.redhat.com/show_bug.cgi?id=1012343 It results in an unterminated string being passed as a mode to fopen which results in the potential use of uninitialized data. --- a/misc/mntent_r.c +++ b/misc/mntent_r.c @@ -40,10 +40,10 @@ __setmntent (const char *file, const char *mode) { /* Extend the mode parameter with "c" to disable cancellation in the - I/O functions. */ + I/O functions and "e" to set FD_CLOEXEC. */ size_t modelen = strlen (mode); char newmode[modelen + 2]; - memcpy (mempcpy (newmode, mode, modelen), "c", 2); + memcpy (mempcpy (newmode, mode, modelen), "ce", 2); FILE *result = fopen (file, newmode); if (result != NULL) The newmode should be size modelen + 3 and the memcpy should copy 3 bytes. An audit revealed that also needed are cancellation fixes for: getttyent.c files-netgrp.c res_hconf.c So we must fix those up also. The fix for bug 952422 fixed the cancellation issue with getsysstats.c already.
Fist reported here: https://blogs.oracle.com/wim/entry/oracle_linux_6_update_9 (Via bug 1012343 comment 21.)
*** Bug 1437111 has been marked as a duplicate of this bug. ***
Fixes complete and undergoing internal review.
(In reply to Carlos O'Donell from comment #0) > Contains a defect that results in a 1-byte buffer overflow. This statement is incorrect. It results in an unterminated string being passed as a mode to fopen which results in the potential use of uninitialized data.
*** Bug 1394704 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1879