Bug 1879225 (CVE-2020-8927) - CVE-2020-8927 brotli: buffer overflow when input chunk is larger than 2GiB
Summary: CVE-2020-8927 brotli: buffer overflow when input chunk is larger than 2GiB
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8927
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1886473 1879226 1879227 1879228 1879230 1881156 1886474 2062014 2062015 2062016 2062017 2062018 2062019 2062020 2062021
Blocks: 1879229
TreeView+ depends on / blocked
 
Reported: 2020-09-15 17:54 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-12-14 17:06 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the Brotli library where an attacker could control the input length of a "one-shot" decompression request to a script that can trigger a crash. This issue can happen when copying chunks of data larger than 2 GiB.
Clone Of:
Environment:
Last Closed: 2021-05-18 14:35:26 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0938 0 None None None 2022-03-15 20:43:49 UTC
Red Hat Product Errata RHBA-2022:0945 0 None None None 2022-03-16 15:05:20 UTC
Red Hat Product Errata RHSA-2022:0827 0 None None None 2022-03-10 16:14:31 UTC
Red Hat Product Errata RHSA-2022:0828 0 None None None 2022-03-10 16:16:58 UTC
Red Hat Product Errata RHSA-2022:0829 0 None None None 2022-03-10 16:16:11 UTC
Red Hat Product Errata RHSA-2022:0830 0 None None None 2022-03-10 16:13:29 UTC

Description Guilherme de Almeida Suckevicz 2020-09-15 17:54:33 UTC
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

Reference:
https://github.com/google/brotli/releases/tag/v1.0.9

Comment 1 Guilherme de Almeida Suckevicz 2020-09-15 17:55:13 UTC
Created brotli tracking bugs for this issue:

Affects: epel-7 [bug 1879230]
Affects: fedora-all [bug 1879226]


Created golang-github-andybalholm-brotli tracking bugs for this issue:

Affects: fedora-all [bug 1879228]


Created mingw-brotli tracking bugs for this issue:

Affects: fedora-all [bug 1879227]

Comment 4 Todd Cullum 2020-09-21 16:25:45 UTC
Mitigation:

This flaw can be mitigated by using the Streaming API instead of the One-Shot API and imposing chunk size limitations.

Comment 9 pouar 2020-10-02 09:50:36 UTC
Anyone mind if I update Brotli to 1.0.9 in Fedora 32? because I'm not sure how to backport this to 1.0.7.

Comment 10 Robert-André Mauchin 🐧 2020-10-02 18:54:48 UTC
I don't think anyone would mind a security update.

Not sure why the Go-sig is CCed on this, for golang-github-andybalholm-brotli?

Comment 11 Tomas Hoger 2020-10-05 07:50:49 UTC
In reply to comment #10:
> Not sure why the Go-sig is CCed on this, for
> golang-github-andybalholm-brotli?

Yes.  Go-sig is on the initialcc list for the component.

Comment 12 Eike Rathke 2020-10-05 10:24:01 UTC
(In reply to pouar from comment #9)
> Anyone mind if I update Brotli to 1.0.9 in Fedora 32? because I'm not sure
> how to backport this to 1.0.7.

As far as I experienced it's not backportable at all if not using the decoder sources from 1.0.8
Be aware that starting from 1.0.8 all Java and Go related files and others are not part of the tarball anymore. I don't know if anything in F32 relies on those.

Comment 14 errata-xmlrpc 2021-05-18 14:23:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1702 https://access.redhat.com/errata/RHSA-2021:1702

Comment 15 Product Security DevOps Team 2021-05-18 14:35:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8927

Comment 17 errata-xmlrpc 2022-03-10 16:13:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0830 https://access.redhat.com/errata/RHSA-2022:0830

Comment 18 errata-xmlrpc 2022-03-10 16:14:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0827 https://access.redhat.com/errata/RHSA-2022:0827

Comment 19 errata-xmlrpc 2022-03-10 16:16:09 UTC
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:0829 https://access.redhat.com/errata/RHSA-2022:0829

Comment 20 errata-xmlrpc 2022-03-10 16:16:55 UTC
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:0828 https://access.redhat.com/errata/RHSA-2022:0828


Note You need to log in before you can comment on or make changes to this bug.