798538 – (CVE-2013-0221) VUL-1: CVE-2013-0221: coreutils: segmentation fault in "sort -d" and "sort -M" with long line input

Bug 798538 (CVE-2013-0221) - VUL-1: CVE-2013-0221: coreutils: segmentation fault in "sort -d" and "sort -M" with long line input

Summary: VUL-1: CVE-2013-0221: coreutils: segmentation fault in "sort -d" and "sort -M...

Status:	RESOLVED FIXED

Alias:	CVE-2013-0221

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	x86-64 openSUSE 12.2

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2015-12-16
Assignee:	Philipp Thomas
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp3:54067 maint...
Keywords:

Depends on:	CVE-2013-0222 CVE-2013-0223
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2013-01-15 14:29 UTC by Forgotten User m4H6SeH0_b
Modified:	2016-02-19 00:28 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Forgotten User m4H6SeH0_b 2013-01-15 14:29:55 UTC

+++ This bug was initially created as a clone of Bug #796243 +++

User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0

"sort -d" and "sort -M" crashe if input stream contains very long strings

% perl -e 'print "1","A"x50000000,"\r\n\r\n"' | sort -d
[1]    13431 done                perl -e 'print "1","A"x50000000,"\r\n\r\n"' | 
       13432 segmentation fault  sort -d

% perl -e 'print "1","A"x50000000,"\r\n\r\n"' | sort -M
[1]    13433 done                perl -e 'print "1","A"x50000000,"\r\n\r\n"' | 
       13434 segmentation fault  sort -M


Depending on the stack size the sequence can be as short as ~10MB (in the above example 50MB)

Reproducible: Always

Steps to Reproduce:
1. see above
Actual Results:  
crash

Expected Results:  
no crash

Comment 1 Bernhard Voelker 2013-01-15 14:43:22 UTC

Bug also present in 12.1.

Bug cannot be reproduced with upstream coreutils' sort,
and therefore is most probably in SuSE's patches.

Comment 2 Forgotten User m4H6SeH0_b 2013-01-15 14:46:11 UTC

Yes, I believe it is in SUSE coreutils-i18n.patch. I mentioned it in the related bug https://bugzilla.novell.com/show_bug.cgi?id=796243

Comment 3 Sebastian Krahmer 2013-01-16 13:27:58 UTC

Probably enough to fix it in Factory.

Comment 4 Philipp Thomas 2013-01-16 14:41:48 UTC

I disagree strongly. Given that join, sort and uniq can be failed I'd rate this severe enough to warrant a complete update for both SLES and openSUSE. Im working on a patch that fixes all three secbugs.

Comment 5 Bernhard Voelker 2013-01-21 08:37:20 UTC

Fixed in Base:System, submitted to Factory:
https://build.opensuse.org/request/show/149348

Fixes for openSUSE:Maintenance pending.

Comment 6 Marcus Meissner 2013-01-21 14:08:28 UTC

@philipp: I agree

Comment 7 Sebastian Krahmer 2013-01-21 14:49:32 UTC

Please wait with the opensuse submits until we've got a CVE.

Comment 8 Matthias Weckbecker 2013-01-23 11:54:05 UTC

´

Comment 9 Matthias Weckbecker 2013-01-23 11:58:23 UTC

CVE-2013-0221 was assigned to this.

Comment 10 Bernhard Voelker 2013-01-23 12:33:55 UTC

Maintenance requests created:

11.4:
https://build.opensuse.org/request/show/149689

12.1:
https://build.opensuse.org/request/show/149691

12.2:
https://build.opensuse.org/request/show/149694

Comment 11 Bernhard Wiedemann 2013-01-26 19:00:22 UTC

This is an autogenerated message for OBS integration:
This bug (798538) was mentioned in
https://build.opensuse.org/request/show/150013 Maintenance /

Comment 12 Bernhard Wiedemann 2013-01-26 20:00:23 UTC

This is an autogenerated message for OBS integration:
This bug (798538) was mentioned in
https://build.opensuse.org/request/show/150015 Maintenance /

Comment 13 Bernhard Wiedemann 2013-01-26 21:00:26 UTC

This is an autogenerated message for OBS integration:
This bug (798538) was mentioned in
https://build.opensuse.org/request/show/150025 Maintenance /

Comment 14 Swamp Workflow Management 2013-02-04 13:04:55 UTC

openSUSE-SU-2013:0232-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 796243,798538,798541
CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223
Sources used:
openSUSE 12.1 (src):    coreutils-8.14-3.19.1

Comment 15 Swamp Workflow Management 2013-02-04 13:05:27 UTC

openSUSE-SU-2013:0233-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 796243,798538,798541
CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223
Sources used:
openSUSE 12.2 (src):    coreutils-8.16-5.12.1

Comment 16 Swamp Workflow Management 2013-02-04 14:04:42 UTC

openSUSE-SU-2013:0237-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 796243,798538,798541
CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223
Sources used:
openSUSE 11.4 (src):    coreutils-8.9-23.1

Comment 17 Marcus Meissner 2013-03-19 13:26:36 UTC

Please submit with the current coreutils update for SLE11

Comment 19 Philipp Thomas 2013-08-13 12:48:23 UTC

AFAICS complete and building packages submitted via SRs 28341 and 28342

Comment 23 Swamp Workflow Management 2013-08-14 06:21:14 UTC

The SWAMPID for this issue is 54064.
This issue was rated as moderate.
Please submit fixed packages until 2013-08-28.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 24 Philipp Thomas 2013-08-19 13:15:01 UTC

Packages for SLE where submitted.

Comment 25 Philipp Thomas 2013-08-19 13:38:22 UTC

Reopening to reassign

Comment 26 Swamp Workflow Management 2013-09-25 14:49:35 UTC

Update released for: coreutils, coreutils-debuginfo, coreutils-debuginfo-x86, coreutils-debugsource, coreutils-lang, coreutils-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 27 Swamp Workflow Management 2013-09-25 14:55:21 UTC

Update released for: coreutils, coreutils-debuginfo, coreutils-debuginfo-x86, coreutils-debugsource, coreutils-lang, coreutils-x86
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 28 Swamp Workflow Management 2013-09-26 09:04:25 UTC

Update released for: coreutils, coreutils-debuginfo, coreutils-debugsource, coreutils-lang
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 29 Marcus Meissner 2013-10-01 15:09:22 UTC

released

Comment 32 Philipp Thomas 2015-11-30 16:46:47 UTC

Fixed with sr 83566

Comment 34 SMASH SMASH 2015-12-02 13:44:23 UTC

An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 16, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/62363/.

Comment 35 Swamp Workflow Management 2015-12-02 13:44:41 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-12-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62363