A flaw was found in Gnulib before 2018-09-23. The convert_to_decimal function in vasnprintf.c has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing. References: https://savannah.gnu.org/bugs/?func=detailitem&item_id=54686 https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html Upstream Patch: https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35
Created coreutils tracking bugs for this issue: Affects: fedora-all [bug 1635899] Created gnulib tracking bugs for this issue: Affects: epel-7 [bug 1635898] Affects: fedora-all [bug 1635897]
convert_to_decimal function in vasnprintf.c is compiled and used only when either NEED_PRINTF_LONG_DOUBLE or NEED_PRINTF_DOUBLE macros are defined at compilation time. Components that use Gnulib use m4 files to check whether those macros are necessary. Those macros are defined in m4/vasnprintf.m4 only if the system *printf functions do not: 1) support long doubles 2) support large precisions 3) recover gracefully in case of an out-of-memory condition. glibc does supports all of the above things, thus the macros are not defined and the system functions are used to deal with float/double numbers. The vulnerable code in convert_to_decimal function is not compiled in RHEL packages and they are not vulnerable to this flaw.
Many components embed gnulib and the vulnerable function, however as explained in comment 6 the convert_to_decimal function is compiled only on systems that do not use glibc, according to the default m4 configuration file. All components that have been found to embed gnulib: gettext, enscript, libunistring, sharutils, m17n-lib, m4, xchat, hunspell, icoutils, netcf, cpio, amanda, bison, gcc, glib2, gnutls, openscap, tar, vorbis-tools, diffutils, guile, libpipeline, rcs, grep, gzip, hivex, supermin, patch, augeas, coreutils, findutils, grub2, lftp, libvirt, man-db, wget. The configuration files that enable/disable the use of double formats in printf-like functions (and the use of the vulnerable function) have been manually analyzed in the following components: gettext, grub2, gzip, tar, wget, libvirt, enscript, cpio, gcc.
the embed gnulib in patch is effected. I have built new patch with the fix in rawhide. https://koji.fedoraproject.org/koji/taskinfo?taskID=31129818
(In reply to Riccardo Schirone from comment #7) > The configuration files that enable/disable the use of double formats in > printf-like functions (and the use of the vulnerable function) have been > manually analyzed in the following components: gettext, grub2, gzip, tar, > wget, libvirt, enscript, cpio, gcc. NB, the places where libvirt uses the buggy code are not security sensitive, so from libvirt's POV this is just a normal bug, not a security flaw.