Bug 769722 (CVE-2011-4620) - CVE-2011-4620 plib ulSetError() buffer overflow
Summary: CVE-2011-4620 plib ulSetError() buffer overflow
Alias: CVE-2011-4620
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 771502
TreeView+ depends on / blocked
Reported: 2011-12-21 22:05 UTC by Kurt Seifried
Modified: 2019-09-29 12:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-04-03 01:43:45 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2011-12-21 22:05:05 UTC

From Secunia:

A vulnerability has been discovered in PLIB, which can be exploited by malicious people to compromise an application using the library.

The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer.

Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function.

The vulnerability is confirmed in version 1.8.5. Other versions may also be affected.

Was found via TORCS, see exploit-db for reproucer.

Comment 1 Hans de Goede 2011-12-29 15:03:10 UTC
This is a simple case of a vsprintf overflowing a statically allocated buffer. I've done a build of plib for rawhide switching to vsnprintf.

I've not created updated builds for F-15 / F-16, since the overflow will be caught by FORTIFY_SOURCE (and plib is compiled with that), so this poses no
more thread then a DOS.

Let me know if the security team wants me to also issue fixed packages for F-15 and F-16.

Comment 2 Vincent Danen 2012-01-03 22:23:35 UTC
If you could, yes.  I'll file trackers for it.  Even though it is just a DoS, we should correct it.

Comment 3 Vincent Danen 2012-01-03 22:24:20 UTC
Created plib tracking bugs for this issue

Affects: fedora-all [bug 771502]

Comment 4 Fedora Update System 2012-01-15 19:56:24 UTC
plib-1.8.5-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2012-01-15 20:00:56 UTC
plib-1.8.5-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.