Bug 769722 - (CVE-2011-4620) CVE-2011-4620 plib ulSetError() buffer overflow
CVE-2011-4620 plib ulSetError() buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20111220,reported=2...
: Security
Depends On: 771502
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-21 17:05 EST by Kurt Seifried
Modified: 2012-04-02 21:43 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-02 21:43:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2011-12-21 17:05:05 EST
https://secunia.com/advisories/47297/
http://plib.sourceforge.net/index.html
http://www.exploit-db.com/exploits/18258/

From Secunia:

======================
*Description*
A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer.

Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function.

The vulnerability is confirmed in version 1.8.5. Other versions may also be affected.
====================== 

Was found via TORCS, see exploit-db for reproucer.
Comment 1 Hans de Goede 2011-12-29 10:03:10 EST
This is a simple case of a vsprintf overflowing a statically allocated buffer. I've done a build of plib for rawhide switching to vsnprintf.

I've not created updated builds for F-15 / F-16, since the overflow will be caught by FORTIFY_SOURCE (and plib is compiled with that), so this poses no
more thread then a DOS.

Let me know if the security team wants me to also issue fixed packages for F-15 and F-16.
Comment 2 Vincent Danen 2012-01-03 17:23:35 EST
If you could, yes.  I'll file trackers for it.  Even though it is just a DoS, we should correct it.
Comment 3 Vincent Danen 2012-01-03 17:24:20 EST
Created plib tracking bugs for this issue

Affects: fedora-all [bug 771502]
Comment 4 Fedora Update System 2012-01-15 14:56:24 EST
plib-1.8.5-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-01-15 15:00:56 EST
plib-1.8.5-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.