Bug 1905213 (CVE-2020-29573) - CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern
Summary: CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-29573
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1906071 1906072 1869380 1966262 1966263 1966264
Blocks: 1905219
TreeView+ depends on / blocked
 
Reported: 2020-12-07 18:30 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-08-31 08:23 UTC (History)
17 users (show)

Fixed In Version: glibc 2.33
Doc Type: If docs needed, set a value
Doc Text:
A stack buffer overflow flaw was found in glibc in the way the printf family of functions processed an 80-bit long double with a non-canonical bit pattern. This flaw allows an attacker who can control the arguments of these functions with the non-standard long double pattern to trigger an overflow and cause an application crash. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-02-02 14:41:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0348 0 None None None 2021-02-02 12:07:21 UTC
Red Hat Product Errata RHSA-2021:2813 0 None None None 2021-07-20 21:16:11 UTC
Red Hat Product Errata RHSA-2021:2998 0 None None None 2021-08-03 13:47:21 UTC
Red Hat Product Errata RHSA-2021:3315 0 None None None 2021-08-31 08:23:39 UTC

Description Guilherme de Almeida Suckevicz 2020-12-07 18:30:50 UTC 
sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf.

References:
https://sourceware.org/bugzilla/show_bug.cgi?id=26649
https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html
Comment 4 Huzaifa S. Sidhpurwala 2020-12-14 04:48:54 UTC 
External References:

https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html
Comment 5 Siddhesh Poyarekar 2020-12-14 05:00:25 UTC 
(In reply to Huzaifa S. Sidhpurwala from comment #4)
> External References:
> 
> https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html

FTR, that is not the fix for the issue; it is incorrect and in fact in the context of upstream, it is a nop.  What fixed the problem upstream are these patches:

https://sourceware.org/git/?p=glibc.git;h=d81f90ccd0109de9ed78aeeb8d86e2c6d4600690
https://sourceware.org/git/?p=glibc.git;h=8df4e219e43a4a257d0759b54fef8c488e2f282e
Comment 6 errata-xmlrpc 2021-02-02 12:07:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0348 https://access.redhat.com/errata/RHSA-2021:0348
Comment 7 Product Security DevOps Team 2021-02-02 14:41:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-29573
Comment 8 RaTasha Tillery-Smith 2021-02-15 17:00:41 UTC 
Statement:

This is essentially a crash which can only be triggered by a non-standard argument passed as a long double input to a member of printf family of functions. The application has to be written in this way to allow this issue to be triggered. The maximum impact is an application crash.
Comment 10 errata-xmlrpc 2021-07-20 21:16:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:2813 https://access.redhat.com/errata/RHSA-2021:2813
Comment 11 errata-xmlrpc 2021-08-03 13:47:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2998 https://access.redhat.com/errata/RHSA-2021:2998
Comment 12 errata-xmlrpc 2021-08-31 08:23:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:3315 https://access.redhat.com/errata/RHSA-2021:3315
Note You need to log in before you can comment on or make changes to this bug.