Bugzilla – Bug 949754
VUL-1: CVE-2015-5218: util-linux: colcrt: global-buffer-overflow
Last modified: 2021-04-14 22:17:53 UTC
Buffer overflow / crash in colcrt with unclear effect. "When running colcrt with a big input it crashes because of a global-buffer-overflow caused by a global variable 'page' defined in 'text-utils/colcrt.c:73:9" http://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/text-utils/colcrt.c?id=70e3fcf293c1827a2655a86584ab13075124a8a8 http://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit/text-utils/colcrt.c?id=d883d64d96ab9bef510745d064a351145b9babec References: https://bugzilla.redhat.com/show_bug.cgi?id=1259322 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5218 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798067 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5218.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5218
Created attachment 650969 [details] Reproducer The original report and reproducer: http://www.spinics.net/lists/util-linux-ng/msg11873.html I found a crash in colcrt, (filter nroff output for CRT previewing) . - The colcrt command is part of the util-linux package and is available from Linux Kernel Archive http://man7.org/linux/man-pages/man1/colcrt.1.html https://www.kernel.org/pub/linux/utils/util-linux/v2.27/ /opt/linuxtools/bin/colcrt --help Usage: colcrt [options] [<file>...] Filter nroff output for CRT previewing. Options: -, --no-underlining suppress all underlining -2, --half-lines print all half-lines -h, --help display this help and exit -V, --version output version information and exit For more details see colcrt(1). Details: platform: Linux x86/x64 Version: colcrt from util-linux-2.27 colcrt from util-linux-2.27 and below crashes when the tool used in the command line. when running colcrt with the following file (attached), it crashes because i believe when colcrt is called, it will dereferencing pointer "cp". here is the backtrace from gdb: -bash-4.2$ gdb /opt/linuxtools/bin/colcrt GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-51.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /opt/linuxtools/bin/colcrt...done. (gdb) r file Starting program: /opt/linuxtools/bin/colcrt file Program received signal SIGSEGV, Segmentation fault. 216 cp[i] = c; colcrt (f=0x62b060) at text-utils/colcrt.c:216 Missing separate debuginfos, use: debuginfo-install glibc-2.17-55.el7_0.5.x86_64 (gdb) bt full #0 colcrt (f=0x62b060) at text-utils/colcrt.c:216 c = <optimized out> cp = 0x606fe8 L"" dp = <optimized out> i = 0 w = 1 #1 0x00000000004015bc in main (argc=0, argv=0x7fffffffe5f8) at text-utils/colcrt.c:139 f = 0x62b060 i = <optimized out> opt = <optimized out> longopts = {{name = 0x405d67 "no-underlining", has_arg = 0, flag = 0x0, val = 128}, {name = 0x405d76 "half-lines", has_arg = 0, flag = 0x0, val = 50}, { name = 0x405d81 "version", has_arg = 0, flag = 0x0, val = 86}, {name = 0x405d89 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
bugbot adjusting priority
Should I prepare update now (together with several pending bugs in SLE), or will we wait to more severe bug?
There is something wrong in the maintenance system, and I am not able to submit stuff created by osc mbranch. home:sbrabec:branches:util-linux-bsc949754-CVE-2015-5218/util-linux.openSUSE_Leap_42.1> osc submitreq WARNING: WARNING: Project does not accept submit request, request to open a NEW maintenance incident instead WARNING: home:sbrabec:branches:util-linux-bsc949754-CVE-2015-5218> osc mr Gkr-Message: received an invalid, unencryptable, or non-utf8 secret Gkr-Message: call to daemon returned an invalid response: (null).(null)() Gkr-Message: received an invalid, unencryptable, or non-utf8 secret Gkr-Message: call to daemon returned an invalid response: (null).(null)() Gkr-Message: received an invalid, unencryptable, or non-utf8 secret Gkr-Message: call to daemon returned an invalid response: (null).(null)() Gkr-Message: received an invalid, unencryptable, or non-utf8 secret Gkr-Message: call to daemon returned an invalid response: (null).(null)() Using target project 'openSUSE:Maintenance' Server returned an error: HTTP Error 400: Bad Request Maintenance incident request contains no defined release target project for package python-libmount.openSUSE_Leap_42.1
The mbranch did not work correctly, i think the openSUSE:Leap:42.1 misses an attribute. I asked the relevant parties to add it. (additionaly, the util-linux needs to be the same as SLES 12 SP1 version.)
Fix for openSUSE submitted: https://build.opensuse.org/request/show/340315 openSUSE Factory is already fixed since: Wed Sep 23 14:16:22 CEST 2015 - sbrabec@suse.com - Update to version 2.27 Version 2.27 already includes this fix. For better tracking, I edited Base:System/util-linux/util-linux.spec and added: * colcrt: fix buffer overflow (bsc#949754, CVE-2015-5218) It will appear in the changelog after the next update. I hope everything is done now and I can reassign the bug.
openSUSE-SU-2015:1910-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 903440,949754 CVE References: CVE-2015-5218 Sources used: openSUSE Leap 42.1 (src): python-libmount-2.25-9.5, util-linux-2.25-9.4, util-linux-systemd-2.25-9.1 openSUSE 13.2 (src): python-libmount-2.25.1-20.2, util-linux-2.25.1-20.1, util-linux-systemd-2.25.1-20.1 openSUSE 13.1 (src): util-linux-2.23.2-34.1
All requests are accepted now. Closing.
SUSE-RU-2016:1515-1: An update that solves one vulnerability and has 29 fixes is now available. Category: recommended (moderate) Bug References: 880468,889319,903362,903440,903738,905348,922758,923777,924994,931955,940835,940837,943415,946875,947494,949754,950778,953691,954482,956540,958462,959299,963140,963399,970404,972684,975082,976141,977259,977336 CVE References: CVE-2015-5218 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): util-linux-2.25-24.3.2 SUSE Linux Enterprise Software Development Kit 12 (src): util-linux-2.25-24.3.2 SUSE Linux Enterprise Server 12-SP1 (src): bash-completion-2.1-8.1 SUSE Linux Enterprise Server 12 (src): bash-completion-2.1-8.1, python-libmount-2.25-24.3.3, util-linux-2.25-24.3.2, util-linux-systemd-2.25-24.3.1 SUSE Linux Enterprise Desktop 12-SP1 (src): bash-completion-2.1-8.1 SUSE Linux Enterprise Desktop 12 (src): bash-completion-2.1-8.1, python-libmount-2.25-24.3.3, util-linux-2.25-24.3.2, util-linux-systemd-2.25-24.3.1
SUSE-SU-2021:14693-1: An update that solves one vulnerability and has 9 fixes is now available. Category: security (important) Bug References: 1040414,903440,903738,923777,923904,924994,925705,930236,931607,949754 CVE References: CVE-2015-5218 JIRA References: Sources used: SUSE Linux Enterprise Point of Sale 11-SP3 (src): util-linux-2.19.1-6.62.7.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): util-linux-2.19.1-6.62.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.