Bug 828878 (CVE-2012-2673) - CVE-2012-2673 gc: malloc() and calloc() overflows
Summary: CVE-2012-2673 gc: malloc() and calloc() overflows
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2673
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Miloš Prchlík
URL:
Whiteboard:
Depends On: 828881 828882 1012436 1012437 1022688 1053200
Blocks: 828887 1011743
TreeView+ depends on / blocked
 
Reported: 2012-06-05 14:17 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:53 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-04 06:25:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1500 0 normal SHIPPED_LIVE Moderate: gc security update 2013-11-04 23:19:15 UTC
Red Hat Product Errata RHSA-2014:0149 0 normal SHIPPED_LIVE Moderate: gc security update 2014-02-10 22:29:25 UTC
Red Hat Product Errata RHSA-2014:0150 0 normal SHIPPED_LIVE Moderate: gc security update 2014-02-10 22:29:19 UTC

Description Jan Lieskovsky 2012-06-05 14:17:00 UTC 
A security flaw was found in the way malloc() and calloc() routines implementation of gc, a Boehm-Demers-Weiser conservative garbage collector, performed parameters sanitization, when allocating memory. If an application using the gc collector was missing application-level malloc() and calloc() routines parameters validity checks, a remote attacker could provide a specially-crafted application-specific input file that, when opened in that application would lead to application crash or, potentially, arbitrary code execution with the privileges of the user running the application.

CVE request:
[1] www.openwall.com/lists/oss-security/2012/06/05/1

Upstream patches:
A) malloc() size overflow check
   [2] https://github.com/ivmai/bdwgc/commit/be9df82919960214ee4b9d3313523bff44fd99e1

B) calloc() size overflow check
   [3] https://github.com/ivmai/bdwgc/commit/e10c1eb9908c2774c16b3148b30d2f3823d66a9a
   [4] https://github.com/ivmai/bdwgc/commit/6a93f8e5bcad22137f41b6c60a1c7384baaec2b3
   [5] https://github.com/ivmai/bdwgc/commit/83231d0ab5ed60015797c3d1ad9056295ac3b2bb

References:
[6] http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/
Comment 1 Jan Lieskovsky 2012-06-05 14:19:55 UTC 
This issue affects the version of the gc package, as shipped with
Red Hat Enterprise Linux 6.

--

This issue affects the versions of the gc package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.

--

This issue affects the version of the gc package, as shipped with Fedora EPEL 5. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-06-05 14:21:53 UTC 
Created gc tracking bugs for this issue

Affects: fedora-all [bug 828881]
Affects: epel-5 [bug 828882]
Comment 4 Stefan Cornelius 2012-06-07 20:30:45 UTC 
The CVE identifier of CVE-2012-2673 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/06/07/13
Comment 5 Fedora Update System 2012-06-28 03:22:22 UTC 
gc-7.2b-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-06-28 03:44:17 UTC 
gc-7.2b-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2013-11-04 18:20:46 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1500 https://rhn.redhat.com/errata/RHSA-2013-1500.html
Comment 16 errata-xmlrpc 2014-02-10 17:31:26 UTC 
This issue has been addressed in following products:

  Red Hat Satellite Proxy v 5.6

Via RHSA-2014:0150 https://rhn.redhat.com/errata/RHSA-2014-0150.html
Comment 17 errata-xmlrpc 2014-02-10 17:32:15 UTC 
This issue has been addressed in following products:

  Red Hat Satellite Server v 5.6

Via RHSA-2014:0149 https://rhn.redhat.com/errata/RHSA-2014-0149.html
Note You need to log in before you can comment on or make changes to this bug.