Bug 2167666 (CVE-2023-25139) - CVE-2023-25139 glibc: incorrect printf output for integers with thousands separator and width field
Summary: CVE-2023-25139 glibc: incorrect printf output for integers with thousands sep...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-25139
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2167667 2167668 2167669 2167955 2167956
Blocks: 2166922
TreeView+ depends on / blocked
 
Reported: 2023-02-07 08:52 UTC by Sandipan Roy
Modified: 2023-02-13 17:42 UTC (History)
53 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in glibc. When the printf family of functions is called with a format specifier that uses an apostrophe (enable grouping) and a minimum width specifier, the resulting output could be larger than reasonably expected by a caller that computed a tight bound on the buffer size. The resulting larger-than-expected output could result in a buffer overflow in the printf family of functions.
Clone Of:
Environment:
Last Closed: 2023-02-11 13:10:04 UTC
Embargoed:

Attachments (Terms of Use)

Description Sandipan Roy 2023-02-07 08:52:38 UTC 
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
Comment 1 Sandipan Roy 2023-02-07 08:55:08 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-36 [bug 2167667]
Affects: fedora-37 [bug 2167669]


Created zig tracking bugs for this issue:

Affects: fedora-36 [bug 2167668]
Comment 2 Siddhesh Poyarekar 2023-02-07 13:51:22 UTC 
(In reply to Sandipan Roy from comment #1)
> Created glibc tracking bugs for this issue:
> 
> Affects: fedora-36 [bug 2167667]
> Affects: fedora-37 [bug 2167669]
> 
> 
> Created zig tracking bugs for this issue:
> 
> Affects: fedora-36 [bug 2167668]

Please create a rawhide tracker for this.  This only affects glibc 2.37, which is only in rawhide.
Comment 3 Guilherme de Almeida Suckevicz 2023-02-07 19:17:59 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-rawhide [bug 2167955]


Created zig tracking bugs for this issue:

Affects: fedora-rawhide [bug 2167956]
Comment 4 Carlos O'Donell 2023-02-07 20:27:45 UTC 
Fedora Rawhide glibc is fixed with glibc-2.37-1.fc38
https://bodhi.fedoraproject.org/updates/FEDORA-2023-da6855d11c
Comment 9 Product Security DevOps Team 2023-02-11 13:10:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-25139
Note You need to log in before you can comment on or make changes to this bug.