1879225 – (CVE-2020-8927) CVE-2020-8927 brotli: buffer overflow when input chunk is larger than 2GiB

Bug 1879225 (CVE-2020-8927) - CVE-2020-8927 brotli: buffer overflow when input chunk is larger than 2GiB

Summary: CVE-2020-8927 brotli: buffer overflow when input chunk is larger than 2GiB

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-8927
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1886473 1879226 1879227 1879228 1879230 1881156 1886474 2062014 2062015 2062016 2062017 2062018 2062019 2062020 2062021
Blocks:	1879229
TreeView+	depends on / blocked

Reported:	2020-09-15 17:54 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-12-14 17:06 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-05-18 14:35:26 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:0938	None	None	None	2022-03-15 20:43:49 UTC
Red Hat Product Errata	RHBA-2022:0945	None	None	None	2022-03-16 15:05:20 UTC
Red Hat Product Errata	RHSA-2022:0827	None	None	None	2022-03-10 16:14:31 UTC
Red Hat Product Errata	RHSA-2022:0828	None	None	None	2022-03-10 16:16:58 UTC
Red Hat Product Errata	RHSA-2022:0829	None	None	None	2022-03-10 16:16:11 UTC
Red Hat Product Errata	RHSA-2022:0830	None	None	None	2022-03-10 16:13:29 UTC

Description Guilherme de Almeida Suckevicz 2020-09-15 17:54:33 UTC

A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

Reference:
https://github.com/google/brotli/releases/tag/v1.0.9

Comment 1 Guilherme de Almeida Suckevicz 2020-09-15 17:55:13 UTC

Created brotli tracking bugs for this issue:

Affects: epel-7 [bug 1879230]
Affects: fedora-all [bug 1879226]


Created golang-github-andybalholm-brotli tracking bugs for this issue:

Affects: fedora-all [bug 1879228]


Created mingw-brotli tracking bugs for this issue:

Affects: fedora-all [bug 1879227]

Comment 2 Todd Cullum 2020-09-15 20:10:25 UTC

Upstream commit: https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6

Comment 4 Todd Cullum 2020-09-21 16:25:45 UTC

Mitigation:

This flaw can be mitigated by using the Streaming API instead of the One-Shot API and imposing chunk size limitations.

Comment 9 pouar 2020-10-02 09:50:36 UTC

Anyone mind if I update Brotli to 1.0.9 in Fedora 32? because I'm not sure how to backport this to 1.0.7.

Comment 10 Robert-André Mauchin 🐧 2020-10-02 18:54:48 UTC

I don't think anyone would mind a security update.

Not sure why the Go-sig is CCed on this, for golang-github-andybalholm-brotli?

Comment 11 Tomas Hoger 2020-10-05 07:50:49 UTC

In reply to comment #10:
> Not sure why the Go-sig is CCed on this, for
> golang-github-andybalholm-brotli?

Yes.  Go-sig is on the initialcc list for the component.

Comment 12 Eike Rathke 2020-10-05 10:24:01 UTC

(In reply to pouar from comment #9)
> Anyone mind if I update Brotli to 1.0.9 in Fedora 32? because I'm not sure
> how to backport this to 1.0.7.

As far as I experienced it's not backportable at all if not using the decoder sources from 1.0.8
Be aware that starting from 1.0.8 all Java and Go related files and others are not part of the tarball anymore. I don't know if anything in F32 relies on those.

Comment 14 errata-xmlrpc 2021-05-18 14:23:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1702 https://access.redhat.com/errata/RHSA-2021:1702

Comment 15 Product Security DevOps Team 2021-05-18 14:35:26 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8927

Comment 17 errata-xmlrpc 2022-03-10 16:13:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0830 https://access.redhat.com/errata/RHSA-2022:0830

Comment 18 errata-xmlrpc 2022-03-10 16:14:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0827 https://access.redhat.com/errata/RHSA-2022:0827

Comment 19 errata-xmlrpc 2022-03-10 16:16:09 UTC

This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:0829 https://access.redhat.com/errata/RHSA-2022:0829

Comment 20 errata-xmlrpc 2022-03-10 16:16:55 UTC

This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:0828 https://access.redhat.com/errata/RHSA-2022:0828

Note You need to log in before you can comment on or make changes to this bug.