Red Hat Bugzilla – Bug 4457
libgdbm writes out uninitialized memory buffers to files, potentially revealing sensitive information.
Last modified: 2008-05-01 11:37:51 EDT
Looks like the libgdbm allocates dynamic memory, then writes
it out to the GDBM file without fully initializing the
entire memory buffer. Observe:
for (i=0; i<8192; i++)
foo[i]= "secret"[i % 6];
g=gdbm_open("foo.dat", 0, GDBM_WRCREAT, 0644, 0);
Link this with -lgdbm, and run it. Afterwards, examine
foo.dat. It should have "secret" splattered all over it.
This was tested with gdbm-1.7.3-19 and glibc-2.1.1-6. All
versions of Red Hat are probably vulnerable.
There are security implications here. If your app handles
sensitive information, like passwords, in dynamic memory,
and then frees it, and if the freed memory is recycled and
allocated by libgdbm, your sensitive information can end up
being splattered in unused portions of your GDBM files.
Earlier this year MS got reamed for doing the same thing
with some Office files.
I ran some tests, it appears that libdb and libdb1 are not
vulnerable to the same problem.
Fixed in gdbm-1.8.0-2. The header (block 0) was not initializing
memory to 0.