public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames @ 2022-01-12 9:40 fweimer at redhat dot com 2022-01-12 9:40 ` [Bug network/28768] " fweimer at redhat dot com ` (5 more replies) 0 siblings, 6 replies; 7+ messages in thread From: fweimer at redhat dot com @ 2022-01-12 9:40 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28768 Bug ID: 28768 Summary: Buffer overflow in svcunix_create with long pathnames Product: glibc Version: 2.34 Status: NEW Severity: normal Priority: P2 Component: network Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com Target Milestone: --- Flags: security+ This is similar to bug 22542, but in different code: SVCXPRT * svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) { bool_t madesock = FALSE; SVCXPRT *xprt; struct unix_rendezvous *r; struct sockaddr_un addr; socklen_t len = sizeof (struct sockaddr_in); if (sock == RPC_ANYSOCK) { if ((sock = __socket (AF_UNIX, SOCK_STREAM, 0)) < 0) { perror (_("svc_unix.c - AF_UNIX socket creation problem")); return (SVCXPRT *) NULL; } madesock = TRUE; } memset (&addr, '\0', sizeof (addr)); addr.sun_family = AF_UNIX; len = strlen (path) + 1; memcpy (addr.sun_path, path, len); len += sizeof (addr.sun_family); […] There is no length check, either. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames 2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com @ 2022-01-12 9:40 ` fweimer at redhat dot com 2022-01-14 8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org ` (4 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: fweimer at redhat dot com @ 2022-01-12 9:40 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28768 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Assignee|unassigned at sourceware dot org |fweimer at redhat dot com Status|NEW |ASSIGNED -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) 2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com 2022-01-12 9:40 ` [Bug network/28768] " fweimer at redhat dot com @ 2022-01-14 8:14 ` siddhesh at sourceware dot org 2022-01-14 21:21 ` sam at gentoo dot org ` (3 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: siddhesh at sourceware dot org @ 2022-01-14 8:14 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28768 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |siddhesh at sourceware dot org Summary|Buffer overflow in |Buffer overflow in |svcunix_create with long |svcunix_create with long |pathnames |pathnames (CVE-2022-23218) Alias| |CVE-2022-23218 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) 2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com 2022-01-12 9:40 ` [Bug network/28768] " fweimer at redhat dot com 2022-01-14 8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org @ 2022-01-14 21:21 ` sam at gentoo dot org 2022-01-15 15:41 ` aurelien at aurel32 dot net ` (2 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: sam at gentoo dot org @ 2022-01-14 21:21 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28768 Sam James <sam at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sam at gentoo dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) 2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com ` (2 preceding siblings ...) 2022-01-14 21:21 ` sam at gentoo dot org @ 2022-01-15 15:41 ` aurelien at aurel32 dot net 2022-01-17 9:09 ` pgowda.cve at gmail dot com 2022-01-17 13:07 ` fweimer at redhat dot com 5 siblings, 0 replies; 7+ messages in thread From: aurelien at aurel32 dot net @ 2022-01-15 15:41 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28768 Aurelien Jarno <aurelien at aurel32 dot net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aurelien at aurel32 dot net -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) 2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com ` (3 preceding siblings ...) 2022-01-15 15:41 ` aurelien at aurel32 dot net @ 2022-01-17 9:09 ` pgowda.cve at gmail dot com 2022-01-17 13:07 ` fweimer at redhat dot com 5 siblings, 0 replies; 7+ messages in thread From: pgowda.cve at gmail dot com @ 2022-01-17 9:09 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28768 pgowda <pgowda.cve at gmail dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pgowda.cve at gmail dot com -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) 2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com ` (4 preceding siblings ...) 2022-01-17 9:09 ` pgowda.cve at gmail dot com @ 2022-01-17 13:07 ` fweimer at redhat dot com 5 siblings, 0 replies; 7+ messages in thread From: fweimer at redhat dot com @ 2022-01-17 13:07 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28768 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.35 Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #1 from Florian Weimer <fweimer at redhat dot com> --- Fixed for glibc 2.35 via: commit f545ad4928fa1f27a3075265182b38a4f939a5f7 Author: Florian Weimer <fweimer@redhat.com> Date: Mon Jan 17 10:21:34 2022 +0100 CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) The sunrpc function svcunix_create suffers from a stack-based buffer overflow with overlong pathname arguments. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-01-17 13:07 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com 2022-01-12 9:40 ` [Bug network/28768] " fweimer at redhat dot com 2022-01-14 8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org 2022-01-14 21:21 ` sam at gentoo dot org 2022-01-15 15:41 ` aurelien at aurel32 dot net 2022-01-17 9:09 ` pgowda.cve at gmail dot com 2022-01-17 13:07 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).