Bug 969727 - (CVE-2016-1234) VUL-1: CVE-2016-1234: glibc: buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory
(CVE-2016-1234)
VUL-1: CVE-2016-1234: glibc: buffer overflow in glob with GLOB_ALTDIRFUNC and...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Andreas Schwab
Security Team bot
CVSSv2:SUSE:CVE-2016-1234:4.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-05 07:34 UTC by Marcus Meissner
Modified: 2020-06-11 20:30 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-03-05 23:00:14 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-03-07 14:26:29 UTC
is public
Comment 3 Marcus Meissner 2016-03-07 14:27:08 UTC
https://sourceware.org/bugzilla/show_bug.cgi?id=19779

Alexander Cherepanov discovered that the glob implementation in glibc does not correctly handle overlong names in struct dirent buffers when GLOB_ALTDIRFUNC is used.

Alexander's reproducer:

Indeed, it's easy to create such overlong filename with NTFS:

truncate -s 2M ntfs.img
mkfs.ntfs -F ntfs.img
mkdir dir
mount ntfs.img dir
cd dir
touch `perl -CS -e 'print chr(0x800) x 255'`

And I guess this is a problem for some programs. For example, glibc uses NAME_MAX to compute an array size here:

https://sourceware.org/git/?p=glibc.git;a=blob;f=posix/glob.c;h=0c04c3ccfdea4677ae8bb511e88ee8e4f37b02b5;hb=HEAD#l1564

The program:

#include <stddef.h>
#include <dirent.h>
#include <sys/stat.h>
#include <glob.h>

int main()
{
  glob_t g;
  g.gl_closedir = &closedir;
  g.gl_readdir = &readdir;
  g.gl_opendir = &opendir;
  g.gl_lstat = &lstat;
  g.gl_stat = &stat;
  glob("*", GLOB_ALTDIRFUNC, NULL, &g);
}

crashes when run in a directory created as shown above -- stack buffer overflow by up to 510 bytes with controlled length and (with some constrains) contents.
Comment 7 Bernhard Wiedemann 2016-05-30 09:00:27 UTC
This is an autogenerated message for OBS integration:
This bug (969727) was mentioned in
https://build.opensuse.org/request/show/398848 13.2 / glibc
Comment 8 Swamp Workflow Management 2016-06-08 14:08:12 UTC
openSUSE-SU-2016:1527-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 969727,973010,973164,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
openSUSE 13.2 (src):    glibc-2.19-16.25.1, glibc-2.19-16.25.2, glibc-testsuite-2.19-16.25.2, glibc-utils-2.19-16.25.1
Comment 9 Swamp Workflow Management 2016-06-30 23:08:36 UTC
SUSE-SU-2016:1721-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    glibc-2.19-22.16.2
SUSE Linux Enterprise Server 12 (src):    glibc-2.19-22.16.2
SUSE Linux Enterprise Desktop 12 (src):    glibc-2.19-22.16.2
Comment 10 Swamp Workflow Management 2016-07-04 19:08:27 UTC
SUSE-SU-2016:1733-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 967190,968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    glibc-2.19-38.2
SUSE Linux Enterprise Server 12-SP1 (src):    glibc-2.19-38.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    glibc-2.19-38.2
Comment 11 Swamp Workflow Management 2016-07-10 22:15:05 UTC
openSUSE-SU-2016:1779-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 967190,968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
openSUSE Leap 42.1 (src):    glibc-2.19-22.1, glibc-testsuite-2.19-22.2, glibc-utils-2.19-22.1
Comment 14 Swamp Workflow Management 2016-08-25 16:10:26 UTC
SUSE-SU-2016:2156-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 931399,965699,969727,973010,973164,973179,980483,980854,986302
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    glibc-2.11.3-17.102.1
SUSE Linux Enterprise Server 11-SP4 (src):    glibc-2.11.3-17.102.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    glibc-2.11.3-17.102.1
Comment 15 Marcus Meissner 2017-03-01 13:06:57 UTC
released