Bugzilla – Bug 775690
VUL-1: CVE-2012-3480: glibc: multiple integer overflows in strtod and related functions leading to stack overflows with DoS or (potentially) code execution
Last modified: 2013-08-01 09:51:42 UTC
There have recently been multiple integer overflow issues reported in glibc which could lead to stack-based buffer overflows [1], resulting in a Denial of Service, or potentially even allow the execution of arbitrary code. A patch (proposal) can be found at [2]. [1] http://sourceware.org/bugzilla/show_bug.cgi?id=14459 (including testcase) [2] http://sourceware.org/ml/libc-alpha/2012-08/msg00202.html
Usually, such functions are even recommended to be preferred over e.g. atoi() which makes this even a bit worse. On the other hand I'm not sure if an application that lets such things happen is not rather to blame here instead of glibc? Any comments on the severity of this issue are greatly appreciated!
Well, I could include the patch still I think, but OTOH it's not included in upstream glibc yet. As Joseph already pointed out, exploiting this buffer overflow seems unlikely as it requires the application to pass untrusted data of size roughly 200 mega bytes to strtod or friends. So, question is, do we want to rush it for SP1 (as it's nearing its eol) and include what is there, or do we want to wait until upstream has included this or a variant of the patch? FWIW, I'm currently building an SP1 glibc with the (adjusted) patch in my home project.
CVE-2012-3480 was assigned
Michael, we got the inquiry whether "SLES10 SP4 32-bit" would also be affected by this issue, or whether this would just affect SLE11. Is this strtod implementation recent enough to not affect SLE10? Even if would affect SLE10, I think we still let this VUL-1, since its still not a major issue. We just need the clarification whats actually the case.
The strtod code in glibc 2.4 is virtually unchanged from the one in 2.11, so it's most probably affected as well. The patch mostly applies to the old glibc too.
The SWAMPID for this issue is 50123. This issue was rated as moderate. Please submit fixed packages until 2012-11-30. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
The patch is uncovering a bug that was fixed in a726d7960e8a4ac784131f591114a0ef14246d8b.
Andreas, thanks for catching the problem and submitting the fixed package.
I finally went through all patchinfos of this round of glibc updates. The only missing submission is this one for 10-SP3 (we need to release security fixes to Teradata). Andreas, could you submit? This should be the last. Thanks.
Did you mean 9-SP3?
No, SLES 10 SP3. (but well... sles9-sp3-teradata might also be open)
osc maintained doesn't list 10-SP3.
did not actually "osc maintained glibc" actually should work ... I will query autobuild. authorative: $ is_maintained -l glibc sles9-sp3-teradata-x86_64,sle10-sp3-x86_64,sle10-sp4-i386,sle10-sp4-ia64,sle10-sp4-ppc,sle10-sp4-s390x,sle10-sp4-x86_64,sle11-sp1-x86_64,sle11-sp2-i586,sle11-sp2-ia64,sle11-sp2-ppc64,sle11-sp2-s390x,sle11-sp2-x86_64
released
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: glibc, glibc-32bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-devel, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: glibc, glibc-32bit, glibc-64bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-64bit, glibc-dceext-devel, glibc-dceext-x86, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-devel-64bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-64bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-64bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64) SLES4VMWARE 11-SP1-LTSS (i386, x86_64)
Update released for: glibc, glibc-32bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-devel, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd Products: SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)