A flaw was found in Gnulib before 2018-09-23. The convert_to_decimal function in vasnprintf.c has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing.
Created coreutils tracking bugs for this issue:
Affects: fedora-all [bug 1635899]
Created gnulib tracking bugs for this issue:
Affects: epel-7 [bug 1635898]
Affects: fedora-all [bug 1635897]
convert_to_decimal function in vasnprintf.c is compiled and used only when either NEED_PRINTF_LONG_DOUBLE or NEED_PRINTF_DOUBLE macros are defined at compilation time. Components that use Gnulib use m4 files to check whether those macros are necessary.
Those macros are defined in m4/vasnprintf.m4 only if the system *printf functions do not:
1) support long doubles
2) support large precisions
3) recover gracefully in case of an out-of-memory condition.
glibc does supports all of the above things, thus the macros are not defined and the system functions are used to deal with float/double numbers. The vulnerable code in convert_to_decimal function is not compiled in RHEL packages and they are not vulnerable to this flaw.
Many components embed gnulib and the vulnerable function, however as explained in comment 6 the convert_to_decimal function is compiled only on systems that do not use glibc, according to the default m4 configuration file.
All components that have been found to embed gnulib: gettext, enscript, libunistring, sharutils, m17n-lib, m4, xchat, hunspell, icoutils, netcf, cpio, amanda, bison, gcc, glib2, gnutls, openscap, tar, vorbis-tools, diffutils, guile, libpipeline, rcs, grep, gzip, hivex, supermin, patch, augeas, coreutils, findutils, grub2, lftp, libvirt, man-db, wget.
The configuration files that enable/disable the use of double formats in printf-like functions (and the use of the vulnerable function) have been manually analyzed in the following components: gettext, grub2, gzip, tar, wget, libvirt, enscript, cpio, gcc.
the embed gnulib in patch is effected. I have built new patch with the fix in rawhide.
(In reply to Riccardo Schirone from comment #7)
> The configuration files that enable/disable the use of double formats in
> printf-like functions (and the use of the vulnerable function) have been
> manually analyzed in the following components: gettext, grub2, gzip, tar,
> wget, libvirt, enscript, cpio, gcc.
NB, the places where libvirt uses the buggy code are not security sensitive, so from libvirt's POV this is just a normal bug, not a security flaw.