[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#245029: Acknowledgement (libc6: SIGSEGV in getgrouplist()/getpwnam())

tags 245029 woody
thanks

At Fri, 23 Apr 2004 01:11:15 +0200,
BUCHMULLER Norbert wrote:
> > Isn't it CAN-2003-0689? (I have not seen that fixed in libc6's
> 
> It _is_.

I didn't know this bug before...
Debian security team, could you look at it?

> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=101691 states that
> 2.2.5 is affected, and, that the bug is in libc/grp/initgroups.c, and that
> the revision that fixes the bug is 1.29.
> 
> From the CVS log
> (http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/grp/initgroups.c?cvsroot=glibc)
> I see that the fix was done in 1.29 indeed, and having a look at the diff
> between 1.29 and 1.28 revealed that Debian's 2.2.5-11.5 has revision 1.28
> of that file, not 1.29.

Debian woody glibc has revision 1.26.

> Now it is clear that this bug is the same as in CAN-2003-0689. Debian is
> still vulnerable. :-(
> 
> Please fix it. Thanks.

The below patch is diff between 1.26 and 1.29, retrieved from above
CVS web.  The line "__attribute_hidden" and "__libc_fatal" part should
be deleted for fixing woody's glibc, though.


===================================================================
RCS file: /cvs/glibc/libc/grp/initgroups.c,v
retrieving revision 1.26
retrieving revision 1.29
diff -u -r1.26 -r1.29
--- libc/grp/initgroups.c	2001/07/06 04:54:46	1.26
+++ libc/grp/initgroups.c	2003/04/23 21:26:34	1.29
@@ -1,4 +1,4 @@
-/* Copyright (C) 1989,91,93,1996-1999,2000,01 Free Software Foundation, Inc.
+/* Copyright (C) 1989,91,93,1996-2002, 2003 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <sys/param.h>
 #include <sys/types.h>
 #include <nsswitch.h>
 
@@ -45,7 +46,7 @@
 				   void **fctp);
 extern void *__nss_lookup_function (service_user *ni, const char *fct_name);
 
-extern service_user *__nss_group_database;
+extern service_user *__nss_group_database attribute_hidden;
 
 static enum nss_status
 compat_call (service_user *nip, const char *user, gid_t group, long int *start,
@@ -176,7 +177,7 @@
 
       /* This is really only for debugging.  */
       if (NSS_STATUS_TRYAGAIN > status || status > NSS_STATUS_RETURN)
-	__libc_fatal ("illegal status in " __FUNCTION__);
+	__libc_fatal ("illegal status in internal_getgrouplist");
 
       if (status != NSS_STATUS_SUCCESS
 	  && nss_next_action (nip, status) == NSS_ACTION_RETURN)
@@ -207,6 +208,9 @@
     return -1;
 
   result = internal_getgrouplist (user, group, &size, &newgroups, -1);
+
+  memcpy (groups, newgroups, MIN (*ngroups, result) * sizeof (gid_t));
+
   if (result > *ngroups)
     {
       *ngroups = result;
@@ -214,8 +218,6 @@
     }
   else
     *ngroups = result;
-      
-  memcpy (groups, newgroups, *ngroups * sizeof (gid_t));
 
   free (newgroups);
   return result;


Regards,
-- gotom
Reply to: