Bug 1905213 (CVE-2020-29573) - CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern
Summary: CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-29573
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1906071 1906072 1869380
Blocks: 1905219
TreeView+ depends on / blocked
 
Reported: 2020-12-07 18:30 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-15 17:00 UTC (History)
17 users (show)

Fixed In Version: glibc 2.33
Doc Type: If docs needed, set a value
Doc Text:
A stack buffer overflow flaw was found in glibc in the way the printf family of functions processed an 80-bit long double with a non-canonical bit pattern. This flaw allows an attacker who can control the arguments of these functions with the non-standard long double pattern to trigger an overflow and cause an application crash. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-02-02 14:41:59 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0348 0 None None None 2021-02-02 12:07:21 UTC

Description Guilherme de Almeida Suckevicz 2020-12-07 18:30:50 UTC
sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf.

References:
https://sourceware.org/bugzilla/show_bug.cgi?id=26649
https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html

Comment 4 Huzaifa S. Sidhpurwala 2020-12-14 04:48:54 UTC
External References:

https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html

Comment 5 Siddhesh Poyarekar 2020-12-14 05:00:25 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #4)
> External References:
> 
> https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html

FTR, that is not the fix for the issue; it is incorrect and in fact in the context of upstream, it is a nop.  What fixed the problem upstream are these patches:

https://sourceware.org/git/?p=glibc.git;h=d81f90ccd0109de9ed78aeeb8d86e2c6d4600690
https://sourceware.org/git/?p=glibc.git;h=8df4e219e43a4a257d0759b54fef8c488e2f282e

Comment 6 errata-xmlrpc 2021-02-02 12:07:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0348 https://access.redhat.com/errata/RHSA-2021:0348

Comment 7 Product Security DevOps Team 2021-02-02 14:41:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-29573

Comment 8 RaTasha Tillery-Smith 2021-02-15 17:00:41 UTC
Statement:

This is essentially a crash which can only be triggered by a non-standard argument passed as a long double input to a member of printf family of functions. The application has to be written in this way to allow this issue to be triggered. The maximum impact is an application crash.


Note You need to log in before you can comment on or make changes to this bug.