libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c. Reference: https://github.com/maxmind/libmaxminddb/issues/236 Upstream patch: https://github.com/maxmind/libmaxminddb/pull/237
Created libmaxminddb tracking bugs for this issue: Affects: epel-all [bug 1895381] Affects: fedora-all [bug 1895380]
In case of NULL size, bytes_to_hex() allocates a heap chunk via malloc() without proper initialization. The pointer to this chunk (hex_string) is later passed as argument to fprintf, resulting in undefined behavior (possibly leading to crash, or unlikely heap buffer overflow). The upstream fix replaces malloc() with calloc(), thus always initializing memory regardless of whether the for loop in bytes_to_hex() is entered or not. --- src/maxminddb.c LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size) { char *hex_string; ... hex_string = malloc((size * 2) + 1); ... for (uint32_t i = 0; i < size; i++) { sprintf(hex_string + (2 * i), "%02X", bytes[i]); } return hex_string; } LOCAL MMDB_entry_data_list_s *dump_entry_data_list(...) { ... case MMDB_DATA_TYPE_BYTES: { char *hex_string = bytes_to_hex((uint8_t *)entry_data_list->entry_data.bytes, entry_data_list->entry_data.data_size); ... fprintf(stream, "%s <bytes>\n", hex_string); } ... }
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0750 https://access.redhat.com/errata/RHSA-2024:0750
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0751 https://access.redhat.com/errata/RHSA-2024:0751
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0768 https://access.redhat.com/errata/RHSA-2024:0768
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:1686 https://access.redhat.com/errata/RHSA-2024:1686