[Bug 2011326] Re: glibc 2.37: snprintf() on armhf wrongly truncates writes given extremely large size argument

Mon Mar 27 09:30:18 UTC 2023

This bug was fixed in the package glibc - 2.37-0ubuntu2

---------------
glibc (2.37-0ubuntu2) lunar; urgency=medium

  * d/p/u/lp2007599*.patch: add tunables for s390x (LP: #2007599)
  * d/p/any/local-ldso-disable-hwcap: fix compilation error (LP: #2006485)
  * d/sysdeps/arm64.mk: enable Memory Tagging Extension (MTE) checking on arm64
    (LP: #2006739)
  * d/control: declare a Breaks on older cyrus-imapd (LP: #2011326)
  * d/control: Fix missing version bumps that could cause issues on upgrades
  * Cherry-pick patches from upstream maintenance branch:
    - 0001-cdefs-Limit-definition-of-fortification-macros.patch
    - 0002-LoongArch-Add-new-relocation-types.patch
    - 0003-Use-64-bit-time_t-interfaces-in-strftime-and-strptim.patch
    - 0004-Account-for-grouping-in-printf-width-bug-30068.patch
    - 0005-NEWS-Document-CVE-2023-25139.patch
    - 0006-elf-Smoke-test-ldconfig-p-against-system-etc-ld.so.c.patch
    - 0007-stdlib-Undo-post-review-change-to-16adc58e73f3-BZ-27.patch
    - 0008-elf-Restore-ldconfig-libc6-implicit-soname-logic-BZ-.patch

 -- Simon Chopin <schopin at ubuntu.com>  Thu, 16 Mar 2023 09:44:01 +0100

** Changed in: glibc (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-25139

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2011326

Title:
  glibc 2.37: snprintf() on armhf wrongly truncates writes given
  extremely large size argument

Status in cyrus-imapd package in Ubuntu:
  Fix Released
Status in glibc package in Ubuntu:
  Fix Released

Bug description:
  The cyrus-imapd package fails to build from source on armhf in lunar
  against glibc 2.37.  I've tracked this down to a combination of bad
  string handling in the cyrus library's API, and a regression in glibc
  2.37 vs 2.36 when snprintf() is passed a size argument whose value is
  very close to INT_MAX.

  Basically, since the API is passed a buffer of unknown size, and then
  passes this on to functions that DO safe handling of buffer lengths,
  it claims a buffer size of INT_MAX.  Because the functions start
  filling the buffer before the call to snprintf(), the actual size
  argument to snprintf() is slightly less than INT_MAX.  This is
  unrealistic and incorrect, but technically valid, so snprintf() should
  handle it correctly.

  Below is a reproducer that demonstrates the bug on armhf.

  #include <limits.h>
  #include <stdio.h>
  #include <string.h>

  int main() {

      char buf[32];
      int res;

      res = snprintf(buf, sizeof(buf)-1, "%s", "hello world");

      printf("having a normal one. res=%d,buf=%s\n",res,buf);

      res = snprintf(buf, INT_MAX, "%s", "hello world");

      printf("res=%d but buf=%s\n",res,buf);
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-imapd/+bug/2011326/+subscriptions