Bugzilla – Bug 796243
VUL-1: CVE-2013-0222: coreutils: segmentation fault in "uniq" with long line input
Last modified: 2015-12-04 12:11:04 UTC
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 "uniq" crashes if input stream contains very large sequence of NULL bytes % perl -e 'print "1","\0"x50000000,"\r\n\r\n"' | uniq [2] 8244 done perl -e 'print "1","\0"x50000000,"\r\n\r\n"' | 8245 segmentation fault uniq Depending on the stack size the NULL-character sequence can be as short as ~10MB (in the above example 50MB) Reproducible: Always Steps to Reproduce: 1. perl -e 'print "1","\0"x50000000,"\r\n\r\n"' | uniq Actual Results: crash Expected Results: no crash The upstream version of coreutils does not have this problem (doesn't crash). The bug seems to be in the openSUSE specific multi-byte character patch (coreutils-i18n.patch). The crash happens in "different_multi" function due to call to "alloca" returning pointer beyond the stack.
Can reproduce it for 12.2
'man alloca': If the allocation causes stack overflow, program behavior is undefined. Replacing the use of alloca() by xmalloc() + free() works. I'm working on a patch.
I'm already working on a patch for all three bugs. For speed reasons my patch uses xmalloc for anything beyond 4k.
Fixed in Base:System, submitted to Factory: https://build.opensuse.org/request/show/149348 Fixes for openSUSE:Maintenance pending.
CVE-2013-0222 was assigned to this.
Maintenance requests created: 11.4: https://build.opensuse.org/request/show/149689 12.1: https://build.opensuse.org/request/show/149691 12.2: https://build.opensuse.org/request/show/149694
This is an autogenerated message for OBS integration: This bug (796243) was mentioned in https://build.opensuse.org/request/show/150013 Maintenance /
This is an autogenerated message for OBS integration: This bug (796243) was mentioned in https://build.opensuse.org/request/show/150015 Maintenance /
This is an autogenerated message for OBS integration: This bug (796243) was mentioned in https://build.opensuse.org/request/show/150025 Maintenance /
openSUSE-SU-2013:0232-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 796243,798538,798541 CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223 Sources used: openSUSE 12.1 (src): coreutils-8.14-3.19.1
openSUSE-SU-2013:0233-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 796243,798538,798541 CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223 Sources used: openSUSE 12.2 (src): coreutils-8.16-5.12.1
openSUSE-SU-2013:0237-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 796243,798538,798541 CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223 Sources used: openSUSE 11.4 (src): coreutils-8.9-23.1
Please submit with the current coreutils update for SLE11
Everything submitted
I do not see any submission. request ids? also reassign the bugs back to security-team when done.
I'm checking the submissions right now. Would it be OK to include later bugfixes that were pending acceptance?
yes please
The SWAMPID for this issue is 54064. This issue was rated as moderate. Please submit fixed packages until 2013-08-28. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Packages for SLE have been released
Reopen to reassign.
Update released for: coreutils, coreutils-debuginfo, coreutils-debuginfo-x86, coreutils-debugsource, coreutils-lang, coreutils-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: coreutils, coreutils-debuginfo, coreutils-debuginfo-x86, coreutils-debugsource, coreutils-lang, coreutils-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: coreutils, coreutils-debuginfo, coreutils-debugsource, coreutils-lang Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
rekleased