Ubuntu
glibc package

CVE-2021-3326: The iconv app in glibc when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion & aborts

Bug #1929105 reported by bhs
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GLibC
Fix Released
Medium
glibc (Ubuntu)
Fix Released
Low
Unassigned
Bionic
Fix Released
Low
Unassigned
Focal
Fix Released
Low
Unassigned
Groovy
Won't Fix
Low
Unassigned

Bug Description

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

Ref.: https://ubuntu.com/security/CVE-2021-3326

CVE References

Revision history for this message
In , Florian Weimer (fweimer) wrote :

Tavis Ormandy reported that when converting from ISO-2022-JP-3 to UTF-8, the gconv module could trigger an assertion failure in iconv/skeleton.c if the second wide character in a two-wide-character sequence cannot be written to the output buffer during character set conversion.

If glibc is built with assertions, this assertion failure can typically be triggered by applications (such as mail clients) which use the glibc iconv subsystem for MIME character set processing.

Revision history for this message
In , Florian Weimer (fweimer) wrote :

Patch posted: https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html

Revision history for this message
In , Florian Weimer (fweimer) wrote :

Fixed for 2.33 via:

commit 7d88c6142c6efc160c0ee5e4f85cde382c072888
Author: Florian Weimer <email address hidden>
Date: Wed Jan 27 13:36:12 2021 +0100

    gconv: Fix assertion failure in ISO-2022-JP-3 module (bug 27256)

    The conversion loop to the internal encoding does not follow
    the interface contract that __GCONV_FULL_OUTPUT is only returned
    after the internal wchar_t buffer has been filled completely. This
    is enforced by the first of the two asserts in iconv/skeleton.c:

                  /* We must run out of output buffer space in this
                     rerun. */
                  assert (outbuf == outerr);
                  assert (nstatus == __GCONV_FULL_OUTPUT);

    This commit solves this issue by queuing a second wide character
    which cannot be written immediately in the state variable, like
    other converters already do (e.g., BIG5-HKSCS or TSCII).

    Reported-by: Tavis Ormandy <email address hidden>

bhs (bharath-vegito)
information type: Private Security → Public Security
Revision history for this message
Steve Beattie (sbeattie) wrote :

This is fixed in hirsute and newer via glibc 2.33.

Changed in glibc (Ubuntu):
importance: Undecided → Low
status: New → Fix Released
Changed in glibc (Ubuntu Bionic):
importance: Undecided → Low
Changed in glibc (Ubuntu Focal):
importance: Undecided → Low
Changed in glibc (Ubuntu Groovy):
importance: Undecided → Low
Revision history for this message
Steve Beattie (sbeattie) wrote :

Groovy has reached end of supported status, and as such will not be fixed.

Changed in glibc (Ubuntu Groovy):
status: New → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in glibc:
importance: Unknown → Medium
status: Unknown → Fix Released
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Does anyone have a test case for this? It seems like it would be good to fix it for focal (and eventually bionic)

Revision history for this message
Alex Murray (alexmurray) wrote :

@mwhudson - there is a test case already in the upstream patch: https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

I always feel more comfortable for SRUs with a test case that can be run by hand outside the package build, not sure if that's completely justified.

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

This got fixed in https://ubuntu.com/security/notices/USN-5310-1

Changed in glibc (Ubuntu Bionic):
status: New → Fix Released
Changed in glibc (Ubuntu Focal):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.