[UBUNTU] zipl/libc: Fix potential buffer overflow in printf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Canonical Foundations Team | ||
s390-tools (Ubuntu) |
Fix Released
|
High
|
Skipper Bug Screeners | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Eoan |
Won't Fix
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Skipper Bug Screeners |
Bug Description
[Impact]
* Crash of the zipl boot loader during boot.
* due to printf buffer overflow in zipl/libc implementation
[Test Case]
* Use printf to print a string with >81 characters
(exact number depends on the stack layout/compiler used).
[Where problems could occur]
* regressions in zipl could break the booting on IBM Z, in certain scenarios
* the package is only available on s390x and thus could only affect IBM Z machines
[Other Info]
* Patches provided by IBM
* In addition to the 4 commit IDs from the original description, I needed to include part of another upstream commit, to add the "memmove()" function. This was taken from: https:/
=== Original Description ===
Description: zipl/libc: Fix potential buffer overflow in printf
Symptom: Crash of the zipl boot loader during boot.
Problem: The zipl boot loaders have their own minimalistic libc
Solution: Implement vsnprintf and make use of it.
Reproduction: Use printf to print a string with >81 characters (exact number
Upstream commit(s) for s390-tools:
6fe9e6c55c69c14
8874b908254c47c
f7430027b41d5ad
36fed0e6c659063
Problem was introduced with version 1.24. Therefore these patches need to be applied to all distros in service.
Related branches
- Julian Andres Klode (community): Approve
- git-ubuntu developers: Pending requested
-
Diff: 763 lines (+717/-0)7 files modifieddebian/changelog (+17/-0)
debian/patches/0024-zipl-libc-Introduce-vsnprintf.patch (+302/-0)
debian/patches/0025-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch (+46/-0)
debian/patches/0026-zipl-libc-Replace-sprintf-with-snprintf.patch (+224/-0)
debian/patches/0027-zipl-libc-Indicate-truncated-lines-in-printf-with.patch (+69/-0)
debian/patches/0028-zipl-boot-libc-add-memmove-function.patch (+54/-0)
debian/patches/series (+5/-0)
- Dimitri John Ledkov: Pending requested
-
Diff: 763 lines (+717/-0)7 files modifieddebian/changelog (+17/-0)
debian/patches/0029-zipl-libc-Introduce-vsnprintf.patch (+302/-0)
debian/patches/0030-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch (+46/-0)
debian/patches/0031-zipl-libc-Replace-sprintf-with-snprintf.patch (+224/-0)
debian/patches/0032-zipl-libc-Indicate-truncated-lines-in-printf-with.patch (+69/-0)
debian/patches/0033-zipl-boot-libc-add-memmove-function.patch (+54/-0)
debian/patches/series (+5/-0)
tags: | added: architecture-s39064 bugnameltc-184097 severity-high targetmilestone-inin2004 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → s390-tools (Ubuntu) |
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
information type: | Private Security → Public |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
Changed in s390-tools (Ubuntu Eoan): | |
status: | Invalid → Won't Fix |
tags: | added: fr-883 |
Changed in s390-tools (Ubuntu Bionic): | |
status: | New → In Progress |
description: | updated |
Changed in s390-tools (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in s390-tools (Ubuntu): | |
importance: | Undecided → High |
Changed in s390-tools (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in s390-tools (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in s390-tools (Ubuntu Eoan): | |
importance: | Undecided → High |
Changed in s390-tools (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Is there a CVE identifier allocated for this? Do we need allocate one?