714936 – <sys-apps/coreutils-8.31: Buffer overflow in convert_to_decimal in embedded gnulib (CVE-2018-17942)

Bug 714936 - <sys-apps/coreutils-8.31: Buffer overflow in convert_to_decimal in embedded gnulib (CVE-2018-17942)

Summary: <sys-apps/coreutils-8.31: Buffer overflow in convert_to_decimal in embedded g...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [stable?]
Keywords:

Depends on:
Blocks:	CVE-2017-7476, CVE-2018-17942
	Show dependency tree

Reported:	2020-03-26 22:23 UTC by Sam James
Modified:	2020-03-27 06:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-03-26 22:23:04 UTC

Note that bug 714934 did affect coreutils.

1) CVE-2017-7476

URL: https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9287ef2b1707e2a222f8ae776ce3785abcb16fba 

Status: Fixed in coreutils 8.28, out of tree now.

2) CVE-2018-17942

Description:
"The convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing."

URL: https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9c3730e601b72b4478e81d3c75e06ede4cfd93bc

This is the first sync w/ gnulib after the fix, looks like first release after this was 8.31.

URL: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4ZP6L5HXDOVKYTM5ELLYE64H75MT4LZR/

So it looks like this might indeed affect coreutils < 8.31.

Comment 1 Sam James archtester

2020-03-27 06:04:44 UTC

I can't see why Fedora patched this, actually.