A stack-based buffer overflow in nscd was reported and assigned CVE-2024-33599. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=31677 --- nscd/netgroupcache.c (addinnetgrX): 497 struct indataset 498 { 499 struct datahead head; 500 innetgroup_response_header resp; 501 } *dataset 502 = (struct indataset *) mempool_alloc (db, 503 sizeof (*dataset) + req->key_len, 504 1); mempool_alloc fails and returns NULL. This is possible if posix_fallocate fails and the retry fails. 505 struct indataset dataset_mem; 506 bool cacheable = true; 507 if (__glibc_unlikely (dataset == NULL)) 508 { 509 cacheable = false; 510 dataset = &dataset_mem; This structure has no room for req->key_len material. 511 } 512 513 datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, 514 sizeof (innetgroup_response_header), 515 he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); 516 /* Set the notfound status and timeout based on the result from 517 getnetgrent. */ 518 dataset->head.notfound = result->head.notfound; 519 dataset->head.timeout = timeout; 520 521 dataset->resp.version = NSCD_VERSION; 522 dataset->resp.found = result->resp.found; 523 /* Until we find a matching entry the result is 0. */ 524 dataset->resp.result = 0; 525 526 char *key_copy = memcpy ((char *) (dataset + 1), group, req->key_len); This copies up to req->key_len material to a structure that has no storage space for it. This was detected by static code analysis. It will only happen in the case the database runs out of memory/storage while expanding the netgroup cache. The group entries overwrite other data on the stack after dataset_mem. The workaround is not to cache the netgroup if this is impacting the use of the application.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:2799 https://access.redhat.com/errata/RHSA-2024:2799
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:3309 https://access.redhat.com/errata/RHSA-2024:3309
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:3312 https://access.redhat.com/errata/RHSA-2024:3312
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3339 https://access.redhat.com/errata/RHSA-2024:3339
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3344 https://access.redhat.com/errata/RHSA-2024:3344