public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames
@ 2022-01-12 9:40 fweimer at redhat dot com
2022-01-12 9:40 ` [Bug network/28768] " fweimer at redhat dot com
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2022-01-12 9:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28768
Bug ID: 28768
Summary: Buffer overflow in svcunix_create with long pathnames
Product: glibc
Version: 2.34
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security+
This is similar to bug 22542, but in different code:
SVCXPRT *
svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
{
bool_t madesock = FALSE;
SVCXPRT *xprt;
struct unix_rendezvous *r;
struct sockaddr_un addr;
socklen_t len = sizeof (struct sockaddr_in);
if (sock == RPC_ANYSOCK)
{
if ((sock = __socket (AF_UNIX, SOCK_STREAM, 0)) < 0)
{
perror (_("svc_unix.c - AF_UNIX socket creation problem"));
return (SVCXPRT *) NULL;
}
madesock = TRUE;
}
memset (&addr, '\0', sizeof (addr));
addr.sun_family = AF_UNIX;
len = strlen (path) + 1;
memcpy (addr.sun_path, path, len);
len += sizeof (addr.sun_family);
[…]
There is no length check, either.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames
2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
@ 2022-01-12 9:40 ` fweimer at redhat dot com
2022-01-14 8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2022-01-12 9:40 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28768
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Assignee|unassigned at sourceware dot org |fweimer at redhat dot com
Status|NEW |ASSIGNED
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
2022-01-12 9:40 ` [Bug network/28768] " fweimer at redhat dot com
@ 2022-01-14 8:14 ` siddhesh at sourceware dot org
2022-01-14 21:21 ` sam at gentoo dot org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: siddhesh at sourceware dot org @ 2022-01-14 8:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28768
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |siddhesh at sourceware dot org
Summary|Buffer overflow in |Buffer overflow in
|svcunix_create with long |svcunix_create with long
|pathnames |pathnames (CVE-2022-23218)
Alias| |CVE-2022-23218
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
2022-01-12 9:40 ` [Bug network/28768] " fweimer at redhat dot com
2022-01-14 8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org
@ 2022-01-14 21:21 ` sam at gentoo dot org
2022-01-15 15:41 ` aurelien at aurel32 dot net
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: sam at gentoo dot org @ 2022-01-14 21:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28768
Sam James <sam at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at gentoo dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
` (2 preceding siblings ...)
2022-01-14 21:21 ` sam at gentoo dot org
@ 2022-01-15 15:41 ` aurelien at aurel32 dot net
2022-01-17 9:09 ` pgowda.cve at gmail dot com
2022-01-17 13:07 ` fweimer at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: aurelien at aurel32 dot net @ 2022-01-15 15:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28768
Aurelien Jarno <aurelien at aurel32 dot net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |aurelien at aurel32 dot net
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
` (3 preceding siblings ...)
2022-01-15 15:41 ` aurelien at aurel32 dot net
@ 2022-01-17 9:09 ` pgowda.cve at gmail dot com
2022-01-17 13:07 ` fweimer at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: pgowda.cve at gmail dot com @ 2022-01-17 9:09 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28768
pgowda <pgowda.cve at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pgowda.cve at gmail dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218)
2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
` (4 preceding siblings ...)
2022-01-17 9:09 ` pgowda.cve at gmail dot com
@ 2022-01-17 13:07 ` fweimer at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: fweimer at redhat dot com @ 2022-01-17 13:07 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28768
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.35
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.35 via:
commit f545ad4928fa1f27a3075265182b38a4f939a5f7
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon Jan 17 10:21:34 2022 +0100
CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
The sunrpc function svcunix_create suffers from a stack-based buffer
overflow with overlong pathname arguments.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-01-17 13:07 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-12 9:40 [Bug network/28768] New: Buffer overflow in svcunix_create with long pathnames fweimer at redhat dot com
2022-01-12 9:40 ` [Bug network/28768] " fweimer at redhat dot com
2022-01-14 8:14 ` [Bug network/28768] Buffer overflow in svcunix_create with long pathnames (CVE-2022-23218) siddhesh at sourceware dot org
2022-01-14 21:21 ` sam at gentoo dot org
2022-01-15 15:41 ` aurelien at aurel32 dot net
2022-01-17 9:09 ` pgowda.cve at gmail dot com
2022-01-17 13:07 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).