Bug 1635896 (CVE-2018-17942) - CVE-2018-17942 gnulib: heap-based buffer overflow in convert_to_decimal function in vasnprintf.c
Summary: CVE-2018-17942 gnulib: heap-based buffer overflow in convert_to_decimal funct...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-17942
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Mosaab Alzoubi
QA Contact:
URL:
Whiteboard:
Depends On: 1635897 1635898 1635899 1635900 1638198 1639770
Blocks: 1635901
TreeView+ depends on / blocked
 
Reported: 2018-10-03 20:56 UTC by Laura Pardo
Modified: 2020-12-17 09:58 UTC (History)
28 users (show)

Fixed In Version: gnulib-0-31.20200107git.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-10 23:32:43 UTC
Embargoed:

Attachments (Terms of Use)

Description Laura Pardo 2018-10-03 20:56:56 UTC 
A flaw was found in Gnulib before 2018-09-23. The convert_to_decimal function in vasnprintf.c has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing.


References:
https://savannah.gnu.org/bugs/?func=detailitem&item_id=54686
https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html

Upstream Patch:
https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35
Comment 1 Laura Pardo 2018-10-03 20:57:54 UTC 
Created coreutils tracking bugs for this issue:

Affects: fedora-all [bug 1635899]


Created gnulib tracking bugs for this issue:

Affects: epel-7 [bug 1635898]
Affects: fedora-all [bug 1635897]
Comment 6 Riccardo Schirone 2018-11-22 17:04:10 UTC 
convert_to_decimal function in vasnprintf.c is compiled and used only when either NEED_PRINTF_LONG_DOUBLE or NEED_PRINTF_DOUBLE macros are defined at compilation time. Components that use Gnulib use m4 files to check whether those macros are necessary.

Those macros are defined in m4/vasnprintf.m4 only if the system *printf functions do not:
1) support long doubles
2) support large precisions
3) recover gracefully in case of an out-of-memory condition.

glibc does supports all of the above things, thus the macros are not defined and the system functions are used to deal with float/double numbers. The vulnerable code in convert_to_decimal function is not compiled in RHEL packages and they are not vulnerable to this flaw.
Comment 7 Riccardo Schirone 2018-11-26 10:46:08 UTC 
Many components embed gnulib and the vulnerable function, however as explained in comment 6 the convert_to_decimal function is compiled only on systems that do not use glibc, according to the default m4 configuration file.

All components that have been found to embed gnulib: gettext, enscript, libunistring, sharutils, m17n-lib, m4, xchat, hunspell, icoutils, netcf, cpio, amanda, bison, gcc, glib2, gnutls, openscap, tar, vorbis-tools, diffutils, guile, libpipeline, rcs, grep, gzip, hivex, supermin, patch, augeas, coreutils, findutils, grub2, lftp, libvirt, man-db, wget.

The configuration files that enable/disable the use of double formats in printf-like functions (and the use of the vulnerable function) have been manually analyzed in the following components: gettext, grub2, gzip, tar, wget, libvirt, enscript, cpio, gcc.
Comment 8 Than Ngo 2018-11-26 13:17:32 UTC 
the embed gnulib in patch is effected. I have built new patch with the fix in rawhide.

https://koji.fedoraproject.org/koji/taskinfo?taskID=31129818
Comment 9 Daniel Berrangé 2018-11-27 13:46:22 UTC 
(In reply to Riccardo Schirone from comment #7)
> The configuration files that enable/disable the use of double formats in
> printf-like functions (and the use of the vulnerable function) have been
> manually analyzed in the following components: gettext, grub2, gzip, tar,
> wget, libvirt, enscript, cpio, gcc.

NB, the places where libvirt uses the buggy code are not security sensitive, so from libvirt's POV this is just a normal bug, not a security flaw.
Note You need to log in before you can comment on or make changes to this bug.