Bug 2024637 (CVE-2021-3999) - CVE-2021-3999 glibc: Off-by-one buffer overflow/underflow in getcwd()
Summary: CVE-2021-3999 glibc: Off-by-one buffer overflow/underflow in getcwd()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3999
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2025929 2025930 2032279 2032280 2032281 2039676
Blocks: 2024641
TreeView+ depends on / blocked
 
Reported: 2021-11-18 14:42 UTC by Pedro Sampaio
Modified: 2022-07-12 12:02 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2022-05-04 01:15:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0896 0 None None None 2022-03-15 10:21:46 UTC

Description Pedro Sampaio 2021-11-18 14:42:47 UTC 
A flaw was found in glibc. The getcwd() function is affected by an off-by-one buffer overflow and underflow that may lead to memory corruption when the size of the buffer is exactly 1 byte.
Comment 18 Mauro Matteo Cascella 2022-01-12 08:37:18 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 2039676]
Comment 22 Siddhesh Poyarekar 2022-01-12 13:45:02 UTC 
Filed upstream as: https://sourceware.org/bugzilla/show_bug.cgi?id=28769
Comment 26 Riccardo Schirone 2022-01-20 10:59:15 UTC 
I'm updating the CVSS from 8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H to 7.4/CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H . This changes the Attack Vector from Network (AV:N) to Local (AV:L), because it was wrongly set in the first place. The description of the flaw already mentioned "local attacker" but we forgot to reflect this knowledge in the CVSS.

Triggering this bug indeed requires the attacker to be able to alter the current working directory of a process and configure its environment in specific ways that only a local user could do in reasonable scenarios.
Comment 27 Riccardo Schirone 2022-01-20 11:18:21 UTC 
This flaw can be triggered only when the following conditions are respected:
- The buffer size (i.e. the second argument of getcwd) is 1 byte
- The current working directory is too long
- '/' is also mounted on the current working directory (e.g. through a mount namespace)
Comment 28 Mauro Matteo Cascella 2022-01-24 14:38:00 UTC 
Upstream commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
Comment 30 errata-xmlrpc 2022-03-15 10:21:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0896 https://access.redhat.com/errata/RHSA-2022:0896
Comment 31 Product Security DevOps Team 2022-05-04 01:15:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3999
Note You need to log in before you can comment on or make changes to this bug.