A flaw was found in glibc. The getcwd() function is affected by an off-by-one buffer overflow and underflow that may lead to memory corruption when the size of the buffer is exactly 1 byte.
Created glibc tracking bugs for this issue:
Affects: fedora-all [bug 2039676]
Filed upstream as: https://sourceware.org/bugzilla/show_bug.cgi?id=28769
I'm updating the CVSS from 8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H to 7.4/CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H . This changes the Attack Vector from Network (AV:N) to Local (AV:L), because it was wrongly set in the first place. The description of the flaw already mentioned "local attacker" but we forgot to reflect this knowledge in the CVSS.
Triggering this bug indeed requires the attacker to be able to alter the current working directory of a process and configure its environment in specific ways that only a local user could do in reasonable scenarios.
This flaw can be triggered only when the following conditions are respected:
- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory (e.g. through a mount namespace)
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2022:0896 https://access.redhat.com/errata/RHSA-2022:0896
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):