453984 – (CVE-2013-0221) sys-apps/coreutils : various segfault with long line input

Bug 453984 (CVE-2013-0221) - sys-apps/coreutils : various segfault with long line input

Summary: sys-apps/coreutils : various segfault with long line input

Status:	RESOLVED INVALID

Alias:	CVE-2013-0221

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	A2 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2013-01-25 12:49 UTC by Agostino Sarubbo
Modified:	2014-07-28 09:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-01-25 12:49:07 UTC

From $URL :

Can someone assign a CVE id for a buffer overflow in coreutils?
Its the same code snippet (coreutils-i18n.patch) and it affects sort, uniq and join:

https://bugzilla.novell.com/show_bug.cgi?id=798538
https://bugzilla.novell.com/show_bug.cgi?id=796243
https://bugzilla.novell.com/show_bug.cgi?id=798541

-

Gentoo seems to apply 000_all_coreutils-i18n.patch.

Comment 1 SpanKY gentoo-dev

2013-01-25 19:20:02 UTC

we don't have i18n in 8.20

Comment 2 Agostino Sarubbo gentoo-dev

2013-01-25 20:23:08 UTC

(In reply to comment #1)
> we don't have i18n in 8.20

Does not mean is invalid.

Comment 3 SpanKY gentoo-dev

2013-01-25 22:37:26 UTC

(In reply to comment #2)

of course it does.  from the bug reports:
 The upstream version of coreutils does not have this problem (doesn't crash).

and none of those examples crash for me.

we don't track crashes in patches we don't carry.

Comment 4 Agostino Sarubbo gentoo-dev

2013-01-25 22:42:33 UTC

(In reply to comment #3)
> (In reply to comment #2)
> 
> of course it does.  from the bug reports:
>  The upstream version of coreutils does not have this problem (doesn't
> crash).
> 
> and none of those examples crash for me.
> 
> we don't track crashes in patches we don't carry.

The security team, needs to send an advisory if we had the vulnerable code in the tree and you need to punt the vulnerable ebuilds.

arcadia coreutils # grep -R i18n .
./coreutils-8.7.ebuild:         use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.18.ebuild:                use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.20.ebuild:                use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.8.ebuild:         use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.12.ebuild:                use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./ChangeLog:  Include i18n patch from Fedora #328827 by Arago.
./ChangeLog:  Tweak tests in i18n patch #317565 by T Chan.
./ChangeLog:  Add i18n patch from Fedora and some fixes from upstream for #210133.
./ChangeLog:  Update the i18n patch to fix cut again as well as expand #104286 by peteru.
./ChangeLog:  Update i18n patch to the redhat version #87429 and include the tty utf8 fix
./ChangeLog:  we're using openi18n.org's patches for coreutils, which should sort (no pun
./ChangeLog:  Update version. I ported the ACL patches, except for the i18n one, as it gets
./coreutils-8.17.ebuild:                use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.9.ebuild:         use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.20-r1.ebuild:             use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.5.ebuild:         use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.19.ebuild:                use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.10.ebuild:                use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.14.ebuild:                use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.20-r2.ebuild:             use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.5-r1.ebuild:              use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.11.ebuild:                use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.13.ebuild:                use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.15.ebuild:                use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch
./coreutils-8.16.ebuild:                use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch


I see anything related to i18n from fedora.

Comment 5 SpanKY gentoo-dev

2013-01-26 03:12:21 UTC

(In reply to comment #4)

well, you didn't really read the grep output.  simply looking for the string "i18n" doesn't tell you anything.

8.5 was the last version that actually included the i18n patch.

GLSAs for that version (or older) is a waste of time imo especially since there have been a bunch of other random crash bugs in coreutils we haven't done anything about.  just look at the NEWS file.

Comment 6 Agostino Sarubbo gentoo-dev

2013-01-26 09:28:58 UTC

(In reply to comment #5)
> (In reply to comment #4)
> 
> well, you didn't really read the grep output.  simply looking for the string
> "i18n" doesn't tell you anything.
> 
> 8.5 was the last version that actually included the i18n patch.

Then as I said the bug is valid.

@security, please file glsa request or add to existing.