Red Hat Bugzilla – Bug 769722
CVE-2011-4620 plib ulSetError() buffer overflow
Last modified: 2012-04-02 21:43:45 EDT
A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library.
The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer.
Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function.
The vulnerability is confirmed in version 1.8.5. Other versions may also be affected.
Was found via TORCS, see exploit-db for reproucer.
This is a simple case of a vsprintf overflowing a statically allocated buffer. I've done a build of plib for rawhide switching to vsnprintf.
I've not created updated builds for F-15 / F-16, since the overflow will be caught by FORTIFY_SOURCE (and plib is compiled with that), so this poses no
more thread then a DOS.
Let me know if the security team wants me to also issue fixed packages for F-15 and F-16.
If you could, yes. I'll file trackers for it. Even though it is just a DoS, we should correct it.
Created plib tracking bugs for this issue
Affects: fedora-all [bug 771502]
plib-1.8.5-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
plib-1.8.5-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.