Bug 761245 - (CVE-2009-5029) CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow
CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20090601,repor...
: Reopened, Security
Depends On: 716899 767685 767686 767687 767688 767690 767691 767692 767693 767694 767695 767696 769360
Blocks: 767564
  Show dependency treegraph
 
Reported: 2011-12-07 17:06 EST by Ramon de C Valle
Modified: 2016-03-04 06:02 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-14 09:41:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 13506 None None None Never

  None (edit)
Description Ramon de C Valle 2011-12-07 17:06:21 EST
There exists a integer overflow to buffer overflow vulnerability within __tzfile_read function of the GNU C Library. This vulnerability was published by dividead early in 2009 in the following blog post:

http://dividead.wordpress.com/2009/06/01/glibc-timezone-integer-overflow/

In December 3, Kingcope, at Full Disclosure Mailing List, noted vsftpd as one possible attack vector for this issue:

http://lists.grok.org.uk/pipermail/full-disclosure/2011-December/084452.html
Comment 10 Ramon de C Valle 2011-12-13 11:29:25 EST
Exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd
http://rcvalle.com/post/14169476482/exploiting-glibc-tzfile-read-integer-overflow-to
Comment 13 Ramon de C Valle 2011-12-14 11:46:37 EST
Created glibc tracking bugs for this issue

Affects: fedora-all [bug 767696]
Comment 14 Ramon de C Valle 2011-12-15 09:23:49 EST
More on exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd
http://rcvalle.com/post/14261796328/more-on-exploiting-glibc-tzfile-read-integer-overflow
Comment 15 Jeff Law 2011-12-15 11:41:42 EST
So I'm just coming up to speed on this problem.  If I've read things correctly, the problem is the integer overflow if mr. badguy constructs a bogus tzfile.  The integer overflow is used to generate a "useful" size for the malloc call.  After that I'm a bit lost, though it may not matter.

ISTM we need to verify that the computation of total_size, tzspec_len don't overflow nor does total_size + tzspec_len + extra overflow.  If an overflow is detected it appears we can safely "goto lose".

Does that match your interpretation of the core issue and what needs to be changed to resolve it?  Having never worked with security errata before, are there restrictions on discussing it on the upstream mailing lists or with the upstream developers privately?
Comment 16 Ramon de C Valle 2011-12-15 13:13:04 EST
Hi Jeff,

There are a few more checks to be made beyond these. I recommend contacting the developers for an appropriate correction. Feel free to publicly discuss this issue on mailing-lists since it is public since earlier 2009.
Comment 17 Tomas Hoger 2011-12-16 06:14:06 EST
(In reply to comment #15)
> The integer overflow is used to generate a "useful" size for the malloc call. 
> After that I'm a bit lost, though it may not matter.

This is a common flaw pattern - an integer overflow / wrap around in the expression used to compute size passed to malloc results in an allocation of the buffer of the insufficient size.  Later processing, however, tries to write more data to the buffer, resulting in (heap-based) buffer overflow, i.e. possibly exploitable memory corruption.
Comment 20 Fedora Update System 2012-01-17 15:24:39 EST
glibc-2.14.1-5 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 errata-xmlrpc 2012-01-24 16:17:49 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0058 https://rhn.redhat.com/errata/RHSA-2012-0058.html
Comment 24 errata-xmlrpc 2012-02-13 15:35:17 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0126 https://rhn.redhat.com/errata/RHSA-2012-0126.html
Comment 25 errata-xmlrpc 2012-02-13 15:35:52 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2012:0125 https://rhn.redhat.com/errata/RHSA-2012-0125.html

Note You need to log in before you can comment on or make changes to this bug.