[Bug libc/17079] New: nss_files mishandles small buffer

[Bug libc/17079] New: nss_files mishandles small buffer

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17079

            Bug ID: 17079
           Summary: nss_files mishandles small buffer
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: schwab@linux-m68k.org
                CC: drepper.fsp at gmail dot com
            Blocks: 16071

The patch for bug 16071 broke parsing of files where a line doesn't fit in the
supplied buffer, by ignoring such lines instead of returning ERANGE to the
caller.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17079] nss_files mishandles small buffer

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17079

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17079] nss_files mishandles small buffer

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17079

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.20

--- Comment #2 from Andreas Schwab <schwab@linux-m68k.org> ---
Fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17079] nss_files mishandles small buffer (CVE-2015-5277)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17079

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|nss_files mishandles small  |nss_files mishandles small
                   |buffer                      |buffer (CVE-2015-5277)
              Alias|                            |CVE-2015-5277
              Flags|security-                   |security+

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
The description is misleading.  This bug can theoretically result in
applications receiving wrong data from NSS, and the data could even be
attacker-controlled, which means that this is a security bug.

Introduced in glibc 2.19, fixed in 2.20.  The broken fix which went into glibc
2.19 has been backported to earlier glibc versions by some distributions.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17079] nss_files heap-based buffer overflow with small buffer (CVE-2015-5277)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17079

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|nss_files mishandles small  |nss_files heap-based buffer
                   |buffer (CVE-2015-5277)      |overflow with small buffer
                   |                            |(CVE-2015-5277)

--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Florian Weimer from comment #4)
> The description is misleading.  This bug can theoretically result in
> applications receiving wrong data from NSS, and the data could even be
> attacker-controlled, which means that this is a security bug.

This is not quite correct, either.  This is actually a heap-based buffer
overflow.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/17079] nss_files heap-based buffer overflow with small buffer (CVE-2015-5277)

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17079

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  90fa42a1d7b78de0d75f7e3af362275b2abe807f (commit)
      from  e07aabba73ea62e7dfa0512507c92efb851fbdbe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=90fa42a1d7b78de0d75f7e3af362275b2abe807f

commit 90fa42a1d7b78de0d75f7e3af362275b2abe807f
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Sep 22 13:40:17 2015 +0200

    Test in commit e07aabba73ea62e7dfa0512507c92efb851fbdbe is for bug 17079

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                      |    5 +++++
 nss/Makefile                   |    2 +-
 nss/{bug18287.c => bug17079.c} |    3 ++-
 3 files changed, 8 insertions(+), 2 deletions(-)
 rename nss/{bug18287.c => bug17079.c} (98%)

-- 
You are receiving this mail because:
You are on the CC list for the bug.