Bug 980854 (CVE-2016-4429) - VUL-0: CVE-2016-4429: glibc: A stack frame overflow flaw was found in the glibc's clntudp_call
Summary: VUL-0: CVE-2016-4429: glibc: A stack frame overflow flaw was found in the gli...
Status: RESOLVED FIXED
Alias: CVE-2016-4429
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Andreas Schwab
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/169229/
Whiteboard: CVSSv2:SUSE:CVE-2016-4429:2.6:(AV:N/A...
Keywords:
Depends on: CVE-2017-12133
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-20 09:37 UTC by Alexander Bergmann
Modified: 2020-06-11 20:30 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Fix for CVE-2016-4429. (946 bytes, patch)
2016-05-24 14:54 UTC, Alexander Bergmann 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-05-20 09:37:43 UTC 
CVE-2016-4429

Florian Weimer 2016-05-18 11:58:40 UTC

clntudp_call allocates a buffer, using alloca, to store the payload of an incoming socket error.  If a malicious server floods the client with crafted ICMP and UDP packets, this can cause the client to allocate sufficiently many such temporary buffers to cause a stack (frame) overflow (denial of service).

The size of the allocated buffer depends on the request size.  If the request size is close to the page size or even larger, this could cause the stack pointer to step over the guard page, leading to additional impact beyond denial of service.


Florian Weimer 2016-05-18 12:01:14 UTC

This was discovered by Aldy Hernandez' alloca plugin for GCC.

Introduced in this commit:

commit b1eab230118c7d65223927486afb7fe0b531bf33
Author: Ulrich Drepper <drepper@redhat.com>
Date:   Wed Jan 10 23:47:39 2001 +0000
…    
    2001-01-10  Jakub Jelinek  <jakub@redhat.com>
    
        * sunrpc/clnt_udp.c (clntudp_bufcreate): Set IP_RECVERR on the
        UDP socket.
        (clntudp_call): Handle MSG_ERRQUEUE.
        * sysdeps/generic/errqueue.h: New file.
        * sysdeps/unix/sysv/linux/errqueue.h: New file.

I have a patch (replace the alloca with malloc/free).

libtirpc is affected as well.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4429
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4429.html
Comment 1 Swamp Workflow Management 2016-05-20 22:00:23 UTC 
bugbot adjusting priority
Comment 2 Alexander Bergmann 2016-05-24 14:54:33 UTC 
Created attachment 678123 [details]
Fix for CVE-2016-4429.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1337136#c5
Comment 6 Bernhard Wiedemann 2016-05-30 09:01:01 UTC 
This is an autogenerated message for OBS integration:
This bug (980854) was mentioned in
https://build.opensuse.org/request/show/398848 13.2 / glibc
Comment 7 Bernhard Wiedemann 2016-05-30 16:00:40 UTC 
This is an autogenerated message for OBS integration:
This bug (980854) was mentioned in
https://build.opensuse.org/request/show/398988 Factory / glibc
Comment 8 Swamp Workflow Management 2016-06-08 14:08:48 UTC 
openSUSE-SU-2016:1527-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 969727,973010,973164,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
openSUSE 13.2 (src):    glibc-2.19-16.25.1, glibc-2.19-16.25.2, glibc-testsuite-2.19-16.25.2, glibc-utils-2.19-16.25.1
Comment 9 Swamp Workflow Management 2016-06-30 23:09:38 UTC 
SUSE-SU-2016:1721-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    glibc-2.19-22.16.2
SUSE Linux Enterprise Server 12 (src):    glibc-2.19-22.16.2
SUSE Linux Enterprise Desktop 12 (src):    glibc-2.19-22.16.2
Comment 10 Swamp Workflow Management 2016-07-04 19:09:27 UTC 
SUSE-SU-2016:1733-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 967190,968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    glibc-2.19-38.2
SUSE Linux Enterprise Server 12-SP1 (src):    glibc-2.19-38.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    glibc-2.19-38.2
Comment 11 Swamp Workflow Management 2016-07-10 22:16:19 UTC 
openSUSE-SU-2016:1779-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 967190,968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
openSUSE Leap 42.1 (src):    glibc-2.19-22.1, glibc-testsuite-2.19-22.2, glibc-utils-2.19-22.1
Comment 14 Swamp Workflow Management 2016-08-25 16:11:14 UTC 
SUSE-SU-2016:2156-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 931399,965699,969727,973010,973164,973179,980483,980854,986302
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    glibc-2.11.3-17.102.1
SUSE Linux Enterprise Server 11-SP4 (src):    glibc-2.11.3-17.102.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    glibc-2.11.3-17.102.1