813121 – (CVE-2013-1914) VUL-1: CVE-2013-1914: glibc: stack overflow in getaddrinfo() sorting

Bug 813121 (CVE-2013-1914) - VUL-1: CVE-2013-1914: glibc: stack overflow in getaddrinfo() sorting

Summary: VUL-1: CVE-2013-1914: glibc: stack overflow in getaddrinfo() sorting

Status:	RESOLVED FIXED

Alias:	CVE-2013-1914

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	x86-64 SLES 10

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Deadline:	2013-12-24
Assignee:	Andreas Schwab
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp4:52491 maint:...
Keywords:	DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED

Depends on:	810637
Blocks:	937231
	Show dependency tree / graph

Clone This Bug

Reported:	2013-04-03 08:18 UTC by Marcus Meissner
Modified:	2018-10-30 07:47 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Customer
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
getaddrinfo-stack-overflow.patch (1.30 KB, patch) 2013-04-03 08:20 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-04-03 08:18:10 UTC

+++ This bug was initially created as a clone of Bug #810637 +++

A piece of the back trace (bt) from gdb :

#7  0x00002b4353eb0c1b in dumpCrashData () from ./opt/IBM/WebSphere/AppServer/java/jre/bin/libj9vm23.so
#8  0x00002b43541169fd in j9sig_protect () from ./opt/IBM/WebSphere/AppServer/java/jre/bin/libj9prt23.so
#9  0x00002b4353eb0348 in structuredSignalHandler () from ./opt/IBM/WebSphere/AppServer/java/jre/bin/libj9vm23.so
#10 0x00002b4354117449 in masterSynchSignalHandler () from ./opt/IBM/WebSphere/AppServer/java/jre/bin/libj9prt23.so
#11 <signal handler called>
#12 *__GI_getaddrinfo (name=<optimized out>, service=<optimized out>, hints=0x4459fe88, pai=0x44661bc8) at ../sysdeps/posix/getaddrinfo.c:2119
#13 0x00002aab346082a3 in Java_java_net_Inet6AddressImpl_lookupAllHostAddr () from ./opt/IBM/WebSphere/AppServer/java/jre/bin/libnet.so
#14 0x00002aab2ef86b3d in ?? ()
#15 0x00002aaaab97afa0 in ?? () from ./opt/IBM/WebSphere/AppServer/java/jre/bin/libj9gc23.so
#16 0x00002aab448f1e00 in ?? ()
#17 0x0000000000000000 in ?? ()



It would appear that on line 2119 in getaddrinfo.c of glibc, that there was a problem that caused a segfault.

Here's the code in question:

for (i = 0, q = p; q != NULL; ++i, last = q, q = q->ai_next)
        {
          results[i].dest_addr = q;
          results[i].service_order = i;
          results[i].native = -1;      <==== segfault here (if the line number
                                             matches correctly)

Comment 1 Marcus Meissner 2013-04-03 08:19:35 UTC

Andreas Schwab reviewed this and the reason is a alloca overflow if the number of replies exceeds a certain limit.

Comment 2 Marcus Meissner 2013-04-03 08:20:20 UTC

Created attachment 533210 [details]
getaddrinfo-stack-overflow.patch

patch by andreas (?)

Comment 3 Marcus Meissner 2013-04-03 08:25:33 UTC

Andreas ... patch is not in glibc git master yet, did you push it upstream?

Comment 4 Andreas Schwab 2013-04-03 08:40:13 UTC

Since it is a security bug I didn't publish it yet.

Comment 7 Marcus Meissner 2013-04-03 11:08:29 UTC

reproducer:

        $ for i in `seq 1 10000000`; do echo "ff00::$i a1" >>/etc/hosts; done
        $ ulimit -s 1024
        $ telnet a1
        Segmentation fault
        
        (clean out /etc/hosts again afterwards)

Comment 8 Marcus Meissner 2013-04-03 15:10:01 UTC

Please mention CVE-2013-1914 in the glibc commit message.

Comment 9 Swamp Workflow Management 2013-04-03 22:00:25 UTC

bugbot adjusting priority

Comment 10 Marcus Meissner 2013-04-05 09:58:57 UTC

git commit in mainline glibc git:

http://sourceware.org/git/?p=glibc.git;a=commit;h=1cef1b19089528db11f221e938f60b9b048945d7

Comment 11 Swamp Workflow Management 2013-05-09 18:06:59 UTC

The SWAMPID for this issue is 52413.
This issue was rated as low.
Please submit fixed packages until 2013-06-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 14 Bernhard Wiedemann 2013-05-16 16:00:17 UTC

This is an autogenerated message for OBS integration:
This bug (813121) was mentioned in
https://build.opensuse.org/request/show/175893 Factory / glibc

Comment 15 Marcus Meissner 2013-05-29 15:52:19 UTC

Was already released for SLES 11 SP2 in glibc-2.11.3-17.45.45.1

Comment 16 Swamp Workflow Management 2013-06-04 13:01:26 UTC

Update released for: glibc, glibc-32bit, glibc-64bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-64bit, glibc-dceext-devel, glibc-dceext-x86, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-devel-64bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-64bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-64bit, glibc-profile-x86, glibc-x86, nscd
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 25 Swamp Workflow Management 2013-07-25 08:48:53 UTC

Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
SLES4VMWARE 11-SP1-LTSS (i386, x86_64)

Comment 26 Swamp Workflow Management 2013-08-01 07:04:26 UTC

Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 27 Swamp Workflow Management 2013-08-01 07:04:54 UTC

Update released for: glibc, glibc-32bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-devel, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 28 Swamp Workflow Management 2013-08-01 07:05:35 UTC

Update released for: glibc, glibc-devel, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-profile, nscd, timezone
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)

Comment 29 Swamp Workflow Management 2013-08-01 09:51:08 UTC

Update released for: glibc, glibc-32bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-devel, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-obsolete, glibc-profile, glibc-profile-32bit, nscd
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)

Comment 30 Swamp Workflow Management 2013-08-29 05:15:49 UTC

The SWAMPID for this issue is 54298.
This issue was rated as low.
Please submit fixed packages until 2013-09-26.
Also create a patchinfo file using this link:
https://swamp.suse.de/webswamp/wf/54298

Comment 31 Andreas Schwab 2013-09-09 13:54:32 UTC

(In reply to comment #15)
> Was already released for SLES 11 SP2 in glibc-2.11.3-17.45.45.1

No, this was a different bug (#785041).

Comment 32 Alexander Bergmann 2013-09-09 14:29:57 UTC

Right, the last SLE-11-SP2 glibc update was from Mon 18 Mar 2013 10:41:33 PM CET. So two weeks before this issue came up.

Comment 37 Swamp Workflow Management 2013-09-30 16:05:08 UTC

openSUSE-SU-2013:1510-1: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 779320,801246,805054,813121,813306,819383,819524,824046,830257,834594,839870
CVE References: CVE-2012-4412,CVE-2013-0242,CVE-2013-1914,CVE-2013-2207,CVE-2013-4237,CVE-2013-4332
Sources used:
openSUSE 12.3 (src):    glibc-2.17-4.7.1, glibc-testsuite-2.17-4.7.2, glibc-testsuite-2.17-4.7.3, glibc-utils-2.17-4.7.1

Comment 38 Swamp Workflow Management 2013-12-10 06:25:18 UTC

Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 39 Swamp Workflow Management 2013-12-10 06:53:21 UTC

Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 40 Swamp Workflow Management 2013-12-10 12:41:50 UTC

The SWAMPID for this issue is 55384.
This issue was rated as moderate.
Please submit fixed packages until 2013-12-24.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 41 Victor Pereira 2014-01-28 14:22:06 UTC

fixed

Comment 44 L3 Incident Coordination 2015-07-06 11:17:30 UTC

L3:43338 is closed
Ya Dan Fan