1192525 – (CVE-2015-8982) CVE-2015-8982 glibc: multiple overflows in strxfrm()

Bug 1192525 (CVE-2015-8982) - CVE-2015-8982 glibc: multiple overflows in strxfrm()

Summary: CVE-2015-8982 glibc: multiple overflows in strxfrm()

Keywords:
Status:	CLOSED DEFERRED
Alias:	CVE-2015-8982
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1192527
Blocks:	1187112 1192526
TreeView+	depends on / blocked

Reported:	2015-02-13 15:50 UTC by Vasyl Kaigorodov
Modified:	2019-09-29 13:28 UTC (History)
CC List:	10 users (show)
Fixed In Version:	glibc 2.21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-24 08:29:24 UTC
Embargoed:

Attachments	(Terms of Use)
strxfrm-alloca.c (407 bytes, text/plain) 2015-02-13 15:52 UTC, Vasyl Kaigorodov	no flags	Details
strxfrm-int32.c (335 bytes, text/plain) 2015-02-13 15:52 UTC, Vasyl Kaigorodov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Sourceware	16009	0	P2	RESOLVED	Possible buffer overflow in strxfrm (CVE-2015-8982)	2020-04-20 10:22:54 UTC

Description Vasyl Kaigorodov 2015-02-13 15:50:53 UTC

Integer overflow when computing memory allocation sizes (similar to CVE-2012-4412) was reported [1] in glibc strxfrm() function. Attached strxfrm-int32.c should trigger this issue on a 32-bit systems.
Additionally, it was discovered [1] that strxfrm() falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424). Attached strxfrm-alloca.c should trigger this issue.

Upstream commit that fixes all issues:
http://seclists.org/oss-sec/2015/q1/540

[1]: http://seclists.org/oss-sec/2015/q1/540

Comment 1 Vasyl Kaigorodov 2015-02-13 15:52:12 UTC

Created attachment 991416 [details]
strxfrm-alloca.c

Comment 2 Vasyl Kaigorodov 2015-02-13 15:52:26 UTC

Created attachment 991417 [details]
strxfrm-int32.c

Comment 3 Vasyl Kaigorodov 2015-02-13 15:53:28 UTC

Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1192527]

Comment 4 Florian Weimer 2015-02-25 09:20:39 UTC

Actual upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=0f9e585480ed

One of the integer overflows (or a precursor to it) was introduced into strxfm in this commit:

commit 450bf66ef223ad83e7032920652445817865770b
Author: Ulrich Drepper <drepper>
Date:   Sat Dec 25 23:41:39 1999 +0000
…
        * string/strxfrm.c: Complete rewrite for new collate implementation.

strxfrm is not widely used (although it is referenced by Firefox and PostgreSQL), use of strxfrm_l is even rarer.

Comment 5 Huzaifa S. Sidhpurwala 2015-09-08 07:24:28 UTC

CVE request via:

http://openwall.com/lists/oss-security/2015/09/08/2

Comment 7 Andrej Nemec 2017-02-15 09:12:53 UTC

CVE assignment:

http://seclists.org/oss-sec/2017/q1/437

Note You need to log in before you can comment on or make changes to this bug.