Specifically structured /etc/gshadow entries can cause fgetgsent() to return invalid pointers that cause applications to segfault on dereference. One line must fit into the character buffer (1024 bytes, unless a previous line was longer) but have enough group members such that line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) > 1024. The parser would return early to avoid overflow, leaving the static result struct pointing to pointers from the previous line which are now invalid, causing segfaults when those pointers are dereferenced. See the following for a test program and a patch: https://sourceware.org/ml/libc-alpha/2016-06/msg01015.html
Created attachment 9705 [details] gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c
Can this be applied to make it into the next release?
This is affecting us too (specifically this bug, leading to https://github.com/systemd/systemd/issues/6512 in systemd, which then leads to https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1848614 when installing tomcat9 on Ubuntu bionic). Any updates on this, the patch attached, or anything we can do to help get the patch merged? Thanks for your work on glibc!
Patches posted: https://sourceware.org/pipermail/libc-alpha/2020-July/116430.html
Fixed for glibc 2.32 via: commit 2add4235ef674988948155f9a8f60a8c7b09bcff Author: Florian Weimer <fweimer@redhat.com> Date: Thu Jul 16 17:31:20 2020 +0200 gshadow: Implement fgetsgent_r using __nss_fgetent_r (bug 20338) Tested-by: Carlos O'Donell <carlos@redhat.com> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
I'm flagging this as security- because the affected files contain trusted content.