Bug 755695 (CVE-2020-28928)

Summary:	<sys-libs/musl-1.2.1-r1: wcsnrtombs destination buffer overflow (CVE-2020-28928)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	blueness, lu_zero, musl
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.openwall.com/lists/oss-security/2020/11/20/4
Whiteboard:	B3 [glsa?]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-11-20 11:05:29 UTC

"The wcsnrtombs function in all musl libc versions up through 1.2.1 has
been found to have multiple bugs in handling of destination buffer
size when limiting the input character count, which can lead to
infinite loop with no forward progress (no overflow) or writing past
the end of the destination buffera.

This function is not used internally in musl and is not widely used,
but does appear in some applications. The non-input-limiting form
wcsrtombs is not affected.

All users of musl 1.2.1 and prior versions should apply the attached
patch, which replaces the overly complex and erroneous implementation.
The upcoming 1.2.2 release will adopt this new implementation."

Comment 1 Sam James archtester

2020-11-20 11:06:06 UTC

Please apply the patch linked (in URL), thanks!

Comment 2 Sam James archtester

2020-11-24 14:56:21 UTC

https://git.musl-libc.org/cgit/musl/commit/?id=3ab2a4e02682df1382955071919d8aa3c3ec40d4

Comment 3 Larry the Git Cow gentoo-dev

2020-11-24 15:00:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a8e70b0165c61ec95464968205a8cf06859e607

commit 8a8e70b0165c61ec95464968205a8cf06859e607
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-24 14:59:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-24 14:59:59 +0000

    sys-libs/musl: security bump for CVE-2020-28928
    
    Acked-by: Anthony G. Basile <blueness@gentoo.org>
    Bug: https://bugs.gentoo.org/755695
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 .../musl/files/musl-1.2.1-CVE-2020-28928.patch     | 114 ++++++++++++++++++
 sys-libs/musl/musl-1.2.1-r1.ebuild                 | 133 +++++++++++++++++++++
 2 files changed, 247 insertions(+)

Comment 4 Sam James archtester

2020-11-24 15:00:55 UTC

Stabilisation is pending on blueness testing this out in production.

Comment 5 Anthony Basile gentoo-dev

2020-12-06 21:22:07 UTC

(In reply to Sam James from comment #4)
> Stabilisation is pending on blueness testing this out in production.

1.2.1-r1 stable on all arches

Comment 6 Sam James archtester

2020-12-07 16:10:29 UTC

(In reply to Anthony Basile from comment #5)
> (In reply to Sam James from comment #4)
> > Stabilisation is pending on blueness testing this out in production.
> 
> 1.2.1-r1 stable on all arches

Thanks! Please cleanup when ready.

Comment 7 NATTkA bot gentoo-dev

2021-02-14 16:53:00 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: sys-libs/musl-1.2.1-r1

Comment 8 John Helmert III archtester

2021-02-14 18:57:20 UTC

Tree is clean

Comment 9 NATTkA bot gentoo-dev

2021-07-29 17:25:21 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 17:33:54 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:41:47 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:49:56 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 18:05:50 UTC

Package list is empty or all packages have requested keywords.