1300303 – (CVE-2015-8778) CVE-2015-8778 glibc: Integer overflow in hcreate and hcreate_r

Bug 1300303 (CVE-2015-8778) - CVE-2015-8778 glibc: Integer overflow in hcreate and hcreate_r

Summary: CVE-2015-8778 glibc: Integer overflow in hcreate and hcreate_r

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-8778
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1300304 1358013 1374657
Blocks:	1300316 1386080 1415638
TreeView+	depends on / blocked

Reported:	2016-01-20 12:52 UTC by Adam Mariš
Modified:	2021-02-17 04:29 UTC (History)
CC List:	21 users (show)
Fixed In Version:	glibc 2.23
Clone Of:
Environment:
Last Closed:	2019-06-08 02:47:34 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0680	normal	SHIPPED_LIVE	Moderate: glibc security and bug fix update	2017-03-21 12:36:34 UTC
Red Hat Product Errata	RHSA-2017:1916	normal	SHIPPED_LIVE	Moderate: glibc security, bug fix, and enhancement update	2017-08-01 18:05:43 UTC
Sourceware	18240	None	None	None	2019-04-08 16:54:41 UTC

Description Adam Mariš 2016-01-20 12:52:02 UTC

An integer overflow vulnerability was found in hcreate and hcreate_r which can result in an out-of-bound memory access.  This could lead to application crashes or, potentially, arbitrary code execution.

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=18240

CVE assignment:

http://seclists.org/oss-sec/2016/q1/153

Comment 1 Adam Mariš 2016-01-20 12:52:55 UTC

Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1300304]

Comment 4 Martin Prpič 2016-07-07 07:57:03 UTC

Mitigation:

Do not use any applications which call hcreate or hcreate_r with a large size argument.

These functions are used only rarely, and most callers supply a constant argument.  Other applications calculate the size argument in such a way that the error condition cannot be triggered.

Comment 6 errata-xmlrpc 2017-03-21 10:35:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0680 https://rhn.redhat.com/errata/RHSA-2017-0680.html

Comment 8 errata-xmlrpc 2017-08-01 18:12:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1916 https://access.redhat.com/errata/RHSA-2017:1916

Note You need to log in before you can comment on or make changes to this bug.

aavati
arjun.is
ashankar
codonell
fweimer
jakub
jwalter
law
mfabian
mnewsome
nlevinki
pfrankli
rfortier
rhs-bugs
sardella
sgirijan
siddhesh
slawomir
ssaha
vbellur
yozone