Bugzilla – Bug 798541
VUL-1: CVE-2013-0223: coreutils: segmentation fault in "join -i" with long line input
Last modified: 2015-12-04 12:11:14 UTC
+++ This bug was initially created as a clone of Bug #796243 +++ "join -i" crashes if input stream contains very long strings % perl -e 'print "1","A"x50000000,"\r\n\r\n"' > /tmp/test.txt % join -i /tmp/test.txt /tmp/test.txt [1] 13579 segmentation fault join -i /tmp/test.txt /tmp/test.txt % rm /tmp/test.txt Depending on the stack size the string can be as short as ~10MB (in the above example 50MB) Reproducible: Always Steps to Reproduce: 1. see above Actual Results: crash Expected Results: no crash
Probably enough to fix it in Factory.
Fixed in Base:System, submitted to Factory: https://build.opensuse.org/request/show/149348 Fixes for openSUSE:Maintenance pending.
CVE-2013-0223 was assigned to this.
Maintenance requests created: 11.4: https://build.opensuse.org/request/show/149689 12.1: https://build.opensuse.org/request/show/149691 12.2: https://build.opensuse.org/request/show/149694
Bernhard, thanks for the 11.4 submit. As 11.4 is not running the very same update process anymore it would be very helpful if you could recreate the request for Evergreen 11.4. Please see the description here: http://en.opensuse.org/openSUSE:Evergreen#Version_11.4_and_higher
This is an autogenerated message for OBS integration: This bug (798541) was mentioned in https://build.opensuse.org/request/show/150013 Maintenance /
This is an autogenerated message for OBS integration: This bug (798541) was mentioned in https://build.opensuse.org/request/show/150015 Maintenance /
This is an autogenerated message for OBS integration: This bug (798541) was mentioned in https://build.opensuse.org/request/show/150025 Maintenance /
openSUSE-SU-2013:0232-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 796243,798538,798541 CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223 Sources used: openSUSE 12.1 (src): coreutils-8.14-3.19.1
openSUSE-SU-2013:0233-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 796243,798538,798541 CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223 Sources used: openSUSE 12.2 (src): coreutils-8.16-5.12.1
openSUSE-SU-2013:0237-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 796243,798538,798541 CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223 Sources used: openSUSE 11.4 (src): coreutils-8.9-23.1
Please submit with the current coreutils update for SLE11
Fixes for SLE11-SP! and SLE11-SP2 submitted as SRs 28314 and 28315
The SWAMPID for this issue is 54064. This issue was rated as moderate. Please submit fixed packages until 2013-08-28. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Packages for SLE where submitted
Reopen to reassign
Update released for: coreutils, coreutils-debuginfo, coreutils-debuginfo-x86, coreutils-debugsource, coreutils-lang, coreutils-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: coreutils, coreutils-debuginfo, coreutils-debuginfo-x86, coreutils-debugsource, coreutils-lang, coreutils-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: coreutils, coreutils-debuginfo, coreutils-debugsource, coreutils-lang Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
released