Resolves: CVE-2018-17942 - fix heap-based buffer overflow in vasnprintf()

coreutils-8.30-CVE-2018-17942.patch

@@ -0,0 +1,69 @@
+From 6d059cebfdefbdf56910a858f8b603d37f10ef6d Mon Sep 17 00:00:00 2001
+From: Bruno Haible <bruno@clisp.org>
+Date: Sun, 23 Sep 2018 14:13:52 +0200
+Subject: [PATCH] vasnprintf: Fix heap memory overrun bug.
+
+Reported by Ben Pfaff <blp@cs.stanford.edu> in
+<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+
+* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+memory.
+* tests/test-vasnprintf.c (test_function): Add another test.
+
+Upstream-commit: 278b4175c9d7dd47c1a3071554aac02add3b3c35
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ gnulib-tests/test-vasnprintf.c | 21 ++++++++++++++++++++-
+ lib/vasnprintf.c               |  4 +++-
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/gnulib-tests/test-vasnprintf.c b/gnulib-tests/test-vasnprintf.c
+index 19731bc..93d81d7 100644
+--- a/gnulib-tests/test-vasnprintf.c
++++ b/gnulib-tests/test-vasnprintf.c
+@@ -53,7 +53,26 @@ test_function (char * (*my_asnprintf) (char *, size_t *, const char *, ...))
+       ASSERT (result != NULL);
+       ASSERT (strcmp (result, "12345") == 0);
+       ASSERT (length == 5);
+-      if (size < 6)
++      if (size < 5 + 1)
++        ASSERT (result != buf);
++      ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
++      if (result != buf)
++        free (result);
++    }
++
++  /* Note: This test assumes IEEE 754 representation of 'double' floats.  */
++  for (size = 0; size <= 8; size++)
++    {
++      size_t length;
++      char *result;
++
++      memcpy (buf, "DEADBEEF", 8);
++      length = size;
++      result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125);
++      ASSERT (result != NULL);
++      ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0);
++      ASSERT (length == 126);
++      if (size < 126 + 1)
+         ASSERT (result != buf);
+       ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
+       if (result != buf)
+diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
+index 3b441d0..48ef7a6 100644
+--- a/lib/vasnprintf.c
++++ b/lib/vasnprintf.c
+@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
+   size_t a_len = a.nlimbs;
+   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
+   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
++  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
++     digits of a, followed by 1 byte for the terminating NUL.  */
++  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+   if (c_ptr != NULL)
+     {
+       char *d_ptr = c_ptr;
+-- 
+2.17.1
+

coreutils.spec

@@ -1,7 +1,7 @@
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 8.30
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv3+
 Group:   System Environment/Base
 Url:     https://www.gnu.org/software/coreutils/
@@ -17,6 +17,9 @@ Source106:  coreutils-colorls.csh
 # rename gnulib's renameat2 to renameatu to avoid clash with glibc (#1598518)
 Patch1:   coreutils-8.30-renameatu.patch
 
+# fix heap-based buffer overflow in vasnprintf() (CVE-2018-17942)
+Patch2:   coreutils-8.30-CVE-2018-17942.patch
+
 # disable the test-lock gnulib test prone to deadlock
 Patch100: coreutils-8.26-test-lock.patch
 
@@ -252,6 +255,9 @@ fi
 %license COPYING
 
 %changelog
+* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 8.30-5
+- fix heap-based buffer overflow in vasnprintf() (CVE-2018-17942)
+
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8.30-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild