public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames
@ 2022-01-12  9:40 fweimer at redhat dot com
  2022-01-12  9:40 ` [Bug network/28768] " fweimer at redhat dot com
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2022-01-12  9:40 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=28768

            Bug ID: 28768
           Summary: Buffer overflow in svcunix_create with long pathnames
           Product: glibc
           Version: 2.34
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security+

This is similar to bug 22542, but in different code:

SVCXPRT *
svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
{
  bool_t madesock = FALSE;
  SVCXPRT *xprt;
  struct unix_rendezvous *r;
  struct sockaddr_un addr;
  socklen_t len = sizeof (struct sockaddr_in);

  if (sock == RPC_ANYSOCK)
    {
      if ((sock = __socket (AF_UNIX, SOCK_STREAM, 0)) < 0)
        {
          perror (_("svc_unix.c - AF_UNIX socket creation problem"));
          return (SVCXPRT *) NULL;
        }
      madesock = TRUE;
    }
  memset (&addr, '\0', sizeof (addr));
  addr.sun_family = AF_UNIX;
  len = strlen (path) + 1;
  memcpy (addr.sun_path, path, len);
  len += sizeof (addr.sun_family);
[…]

There is no length check, either.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames
  2022-01-12  9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
@ 2022-01-12  9:40 ` fweimer at redhat dot com
  2022-01-14  8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2022-01-12  9:40 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=28768

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com
             Status|NEW                         |ASSIGNED

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
  2022-01-12  9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
  2022-01-12  9:40 ` [Bug network/28768] " fweimer at redhat dot com
@ 2022-01-14  8:14 ` siddhesh at sourceware dot org
  2022-01-14 21:21 ` sam at gentoo dot org
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: siddhesh at sourceware dot org @ 2022-01-14  8:14 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=28768

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |siddhesh at sourceware dot org
            Summary|Buffer overflow in          |Buffer overflow in
                   |svcunix_create with long    |svcunix_create with long
                   |pathnames                   |pathnames (CVE-2022-23218)
              Alias|                            |CVE-2022-23218

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
  2022-01-12  9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
  2022-01-12  9:40 ` [Bug network/28768] " fweimer at redhat dot com
  2022-01-14  8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org
@ 2022-01-14 21:21 ` sam at gentoo dot org
  2022-01-15 15:41 ` aurelien at aurel32 dot net
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: sam at gentoo dot org @ 2022-01-14 21:21 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=28768

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
  2022-01-12  9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
                   ` (2 preceding siblings ...)
  2022-01-14 21:21 ` sam at gentoo dot org
@ 2022-01-15 15:41 ` aurelien at aurel32 dot net
  2022-01-17  9:09 ` pgowda.cve at gmail dot com
  2022-01-17 13:07 ` fweimer at redhat dot com
  5 siblings, 0 replies; 7+ messages in thread
From: aurelien at aurel32 dot net @ 2022-01-15 15:41 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=28768

Aurelien Jarno <aurelien at aurel32 dot net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aurelien at aurel32 dot net

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
  2022-01-12  9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
                   ` (3 preceding siblings ...)
  2022-01-15 15:41 ` aurelien at aurel32 dot net
@ 2022-01-17  9:09 ` pgowda.cve at gmail dot com
  2022-01-17 13:07 ` fweimer at redhat dot com
  5 siblings, 0 replies; 7+ messages in thread
From: pgowda.cve at gmail dot com @ 2022-01-17  9:09 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=28768

pgowda <pgowda.cve at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pgowda.cve at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
  2022-01-12  9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
                   ` (4 preceding siblings ...)
  2022-01-17  9:09 ` pgowda.cve at gmail dot com
@ 2022-01-17 13:07 ` fweimer at redhat dot com
  5 siblings, 0 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2022-01-17 13:07 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=28768

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.35
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.35 via:

commit f545ad4928fa1f27a3075265182b38a4f939a5f7
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon Jan 17 10:21:34 2022 +0100

    CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)

    The sunrpc function svcunix_create suffers from a stack-based buffer
    overflow with overlong pathname arguments.

    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-01-17 13:07 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-12  9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
2022-01-12  9:40 ` [Bug network/28768] " fweimer at redhat dot com
2022-01-14  8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org
2022-01-14 21:21 ` sam at gentoo dot org
2022-01-15 15:41 ` aurelien at aurel32 dot net
2022-01-17  9:09 ` pgowda.cve at gmail dot com
2022-01-17 13:07 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).