From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on starla X-Spam-Level: X-Spam-Status: No, score=-1.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 218021F44D for ; Wed, 24 Apr 2024 16:09:18 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZrvXZDRk; dkim-atps=neutral Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 20C0C3847725 for ; Wed, 24 Apr 2024 16:09:17 +0000 (GMT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 3863A385840D for ; Wed, 24 Apr 2024 16:08:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3863A385840D Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 3863A385840D Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713974927; cv=none; b=Tt8G4CdnaXgA5qJZDZJLcz8qpFldW0930FIWZGdmaL/q+wUs1qySSRuoOdy44D6Ld6RIsJfOE74+Rtx5GoLr4DKvc48KQpXV4tW0Jl28smbj6/N4OaBjpy26kHsruUp8SWFUDEjOnVVEO9mF7NG+IGYX2QE63OkFYFVdgGYB2n4= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713974927; c=relaxed/simple; bh=OIAWbAR5d0O6uSfgROl6VsPA3/W6R7GBdFK1JbzP4c0=; h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version; b=Qm04ToHfSushAGHdm8w45qptbqQorZvcn5d2LoDDQDhzokt4uj05+6Mpi6LwETFk7b9Cs9mpIoxa/THykBRRCWdcwFK7o+/X2wGjOjAu/VP+ZiDmrcoTJA70vOnXbrYJr+jvCo8TBOo/OmToWvbv9W55fq6Ugj/r5rDX/+FdGNY= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1713974916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=ZH3oN0vMCbatI+DyJAWV7dxPu7eXS/n9ibLg8xGUZq0=; b=ZrvXZDRkNyWKEW5Qru5fl3fo9xBiR0bcWdXwkITZesxmcVbeZIXHW0qjTmdNc2dJtbM3Cu jMdv+iu42sHBU6jG5i6d/9iDL9JLPeLnyBF4XFT0tCrkLOdsI9y82uvZgUablw4/c/E6VJ u1LhQMbdCmzcZg9H1Ur6LQB6vfmw7jg= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-302-hU2xEVbaNJu_6nXpW15glA-1; Wed, 24 Apr 2024 12:08:35 -0400 X-MC-Unique: hU2xEVbaNJu_6nXpW15glA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0255D8E6C23 for ; Wed, 24 Apr 2024 16:08:35 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.39.192.74]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A04731121313 for ; Wed, 24 Apr 2024 16:08:34 +0000 (UTC) From: Florian Weimer To: libc-alpha@sourceware.org Subject: [PATCH 0/4] Various nscd security fixes Message-ID: X-From-Line: 9abb85706e6a6876c55daed36e56c4e59e05b039 Mon Sep 17 00:00:00 2001 Date: Wed, 24 Apr 2024 18:08:33 +0200 User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Carlos filed bug 31677, and it it turns out that this is a reachable stack-based buffer overflow. The data looks quite attacker-controlled to me and probably can contain NUL bytes with a custom client, so this looks quite exploitable to my untrained eye. Unfortunately, the reproducer kept crashing after the initial patch, hence the second and third commit. The two issues fixed in the last commit were discovered by reading through the code. By my count, this needs four different CVE identifiers: Bug 31677: the stack-based buffer overflow (commit 1) Bug 31678: two distinct null pointer dereferences (commit 2, commit 3) (same flaw type, presumably same version range, so MERGE from a CVE perspective) Bug 31679: process termination on malloc failure (commit 4) Byg 31680: memory corruption due to incorrect callback API assumption (commit 4) Florian Weimer (4): nscd: Stack-based buffer overflow in netgroup cache (bug 31677) nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678) nscd: Avoid null pointer crashes after notfound response (bug 31678) nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) nscd/netgroupcache.c | 247 +++++++++++++++++++++++-------------------- 1 file changed, 135 insertions(+), 112 deletions(-) base-commit: f4724843ada64a51d66f65d3199fe431f9d4c254 -- 2.44.0