[Bug 1890535] Re: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

Thu Aug 6 06:29:55 UTC 2020

Launchpad has imported 7 comments from the remote bug at
https://sourceware.org/bugzilla/show_bug.cgi?id=20338.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2016-07-08T14:44:55+00:00 dm0 wrote:

Specifically structured /etc/gshadow entries can cause fgetgsent() to
return invalid pointers that cause applications to segfault on
dereference.

One line must fit into the character buffer (1024 bytes, unless a
previous line was longer) but have enough group members such that

     line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) >
1024.

The parser would return early to avoid overflow, leaving the static
result struct pointing to pointers from the previous line which are now
invalid, causing segfaults when those pointers are dereferenced.

See the following for a test program and a patch:

https://sourceware.org/ml/libc-alpha/2016-06/msg01015.html

Reply at:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1890535/comments/0

------------------------------------------------------------------------
On 2016-12-15T23:36:16+00:00 dm0 wrote:

Created attachment 9705
gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c

Reply at:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1890535/comments/1

------------------------------------------------------------------------
On 2017-02-20T06:45:05+00:00 dm0 wrote:

Can this be applied to make it into the next release?

Reply at:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1890535/comments/2

------------------------------------------------------------------------
On 2019-10-18T01:00:04+00:00 Jason Perrin wrote:

This is affecting us too (specifically this bug, leading to
https://github.com/systemd/systemd/issues/6512 in systemd, which then
leads to https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1848614
when installing tomcat9 on Ubuntu bionic). Any updates on this, the
patch attached, or anything we can do to help get the patch merged?

Thanks for your work on glibc!

Reply at:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1890535/comments/3

------------------------------------------------------------------------
On 2020-07-17T08:33:23+00:00 Florian Weimer wrote:

Patches posted: https://sourceware.org/pipermail/libc-
alpha/2020-July/116430.html

Reply at:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1890535/comments/4

------------------------------------------------------------------------
On 2020-07-21T15:16:12+00:00 Florian Weimer wrote:

Fixed for glibc 2.32 via:

commit 2add4235ef674988948155f9a8f60a8c7b09bcff
Author: Florian Weimer <fweimer at redhat.com>
Date:   Thu Jul 16 17:31:20 2020 +0200

    gshadow: Implement fgetsgent_r using __nss_fgetent_r (bug 20338)

    Tested-by: Carlos O'Donell <carlos at redhat.com>
    Reviewed-by: Carlos O'Donell <carlos at redhat.com>

Reply at:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1890535/comments/5

------------------------------------------------------------------------
On 2020-07-31T10:02:37+00:00 Florian Weimer wrote:

I'm flagging this as security- because the affected files contain
trusted content.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1890535/comments/6

** Changed in: glibc
       Status: Unknown => Fix Released

** Changed in: glibc
   Importance: Unknown => Medium

** Bug watch added: github.com/systemd/systemd/issues #6512
   https://github.com/systemd/systemd/issues/6512

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1890535

Title:
  Parsing of /etc/gshadow can return bad pointers causing segfaults in
  applications

Status in GLibC:
  Fix Released
Status in glibc package in Ubuntu:
  New

Bug description:
  This bug is already solved upstream
  (https://sourceware.org/bugzilla/show_bug.cgi?id=20338) in 2.32 and
  has to be backported.

  It indirectly causes systemd-sysusers on 20.04/focal to fail
  (https://github.com/systemd/systemd/issues/6512).

To manage notifications about this bug go to:
https://bugs.launchpad.net/glibc/+bug/1890535/+subscriptions