Bug 661 (CVE-2005-3590) - getgrouplist memory corruption (CVE-2005-3590)
Summary: getgrouplist memory corruption (CVE-2005-3590)
Status: RESOLVED FIXED
Alias: CVE-2005-3590
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.3.4
: P2 critical
Target Milestone: ---
Assignee: GOTO Masanori
URL:
Keywords:
Depends on:
Blocks: libc235
  Show dependency treegraph
 
Reported: 2005-01-14 13:21 UTC by Thorsten Kukuk
Modified: 2019-04-11 09:50 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+


Attachments
Patch to check for enough space (515 bytes, patch)
2005-01-14 13:23 UTC, Thorsten Kukuk
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thorsten Kukuk 2005-01-14 13:21:52 UTC
If you call getgrouplist with ngroups=0 as argument to find out, how 
big the buffer needs to be, it will corrupt the stack. The problem is, 
that internal_getgrouplist will always add the main group at first, 
without checking for enough space.
Comment 1 Thorsten Kukuk 2005-01-14 13:23:05 UTC
Created attachment 352 [details]
Patch to check for enough space
Comment 2 cvs-commit@gcc.gnu.org 2005-03-29 23:40:07 UTC
Subject: Bug 661

CVSROOT:	/cvs/glibc
Module name:	libc
Changes by:	roland@sources.redhat.com	2005-03-29 23:39:59

Modified files:
	grp            : initgroups.c 

Log message:
	2005-03-29  Thorsten Kukuk  <kukuk@suse.de>
	
	[BZ #661]
	* grp/initgroups.c (internal_getgrouplist): Check if we have
	enough space before adding the primary group to the list.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/grp/initgroups.c.diff?cvsroot=glibc&r1=1.33&r2=1.34

Comment 3 cvs-commit@gcc.gnu.org 2005-03-29 23:40:54 UTC
Subject: Bug 661

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	glibc-2_3-branch
Changes by:	roland@sources.redhat.com	2005-03-29 23:40:49

Modified files:
	grp            : initgroups.c 

Log message:
	2005-03-29  Thorsten Kukuk  <kukuk@suse.de>
	
	[BZ #661]
	* grp/initgroups.c (internal_getgrouplist): Check if we have
	enough space before adding the primary group to the list.

Patches:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/grp/initgroups.c.diff?cvsroot=glibc&only_with_tag=glibc-2_3-branch&r1=1.33&r2=1.33.2.1

Comment 4 Roland McGrath 2005-03-29 23:41:37 UTC
Now in both branches.
Comment 5 cvs-commit@gcc.gnu.org 2006-08-03 15:25:28 UTC
Subject: Bug 661

CVSROOT:	/cvs/glibc
Module name:	libc
Changes by:	drepper@sourceware.org	2006-08-03 15:25:19

Modified files:
	grp            : initgroups.c 

Log message:
	(internal_getgrouplist): Remove unnecessary test introduced in patch
	for bz #661.
	(getgrouplist): Simplify code a bit.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/grp/initgroups.c.diff?cvsroot=glibc&r1=1.34&r2=1.35