Bug 928749 (CVE-2015-4041) - VUL-1: CVE-2015-4041, CVE-2015-4042: coreutils: memory handling error with case insensitive sort using UTF-8
Summary: VUL-1: CVE-2015-4041, CVE-2015-4042: coreutils: memory handling error with ca...
Status: RESOLVED FIXED
Alias: CVE-2015-4041
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: 13.2
Hardware: x86-64 openSUSE 13.2
: P4 - Low : Normal (vote)
Target Milestone: ---
Deadline: 2015-12-16
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard: . CVSSv2:RedHat:CVE-2015-4042:3.7:(AV...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-27 13:10 UTC by Forgotten User VLQiF8xTNe
Modified: 2020-08-13 12:16 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
error when trying to sort this file with sort -f on 64bit using UTF-8 (40 bytes, text/plain)
2015-04-27 13:10 UTC, Forgotten User VLQiF8xTNe
Details
produces sort error on 32bit (withLANG=en_US.UTF-8 sort -f) (172 bytes, text/plain)
2015-05-04 08:36 UTC, Forgotten User VLQiF8xTNe
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Forgotten User VLQiF8xTNe 2015-04-27 13:10:16 UTC
Created attachment 632470 [details]
error when trying to sort this file with sort -f on 64bit using UTF-8

On 64-bit (not on 32-bit) OpenSUSE 13.2 when running command
LANG=en_US.UTF-8 sort -f sort_bug_caseinsensitive.txt
(the attached file which is stripped down to 2 lines) I get the following error (remark: changing a single character in the file to sort won't show the error anymore; the same is true for not case-insensitive search, no UTF-8 or not running on 64-bit):

% LANG=en_US.UTF-8 sort -f /export/clpbrd/sort_bug_caseinsensitive.txt
*** Error in `sort': free(): invalid next size (fast): 0x0000000000947ff0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7283f)[0x7fb62b5b783f]
/lib64/libc.so.6(+0x780ae)[0x7fb62b5bd0ae]
/lib64/libc.so.6(+0x78db6)[0x7fb62b5bddb6]
sort[0x409655]
sort[0x407ad0]
sort[0x40a840]
sort[0x404bc1]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fb62b566b05]
sort[0x405b6c]
======= Memory map: ========
00400000-0041a000 r-xp 00000000 08:12 1408252                            /usr/bin/sort
0061a000-0061b000 r--p 0001a000 08:12 1408252                            /usr/bin/sort
0061b000-0061c000 rw-p 0001b000 08:12 1408252                            /usr/bin/sort
00943000-00964000 rw-p 00000000 00:00 0                                  [heap]
7fb62b32e000-7fb62b344000 r-xp 00000000 08:12 4849785                    /lib64/libgcc_s.so.1
7fb62b344000-7fb62b543000 ---p 00016000 08:12 4849785                    /lib64/libgcc_s.so.1
7fb62b543000-7fb62b544000 r--p 00015000 08:12 4849785                    /lib64/libgcc_s.so.1
7fb62b544000-7fb62b545000 rw-p 00016000 08:12 4849785                    /lib64/libgcc_s.so.1
7fb62b545000-7fb62b6e3000 r-xp 00000000 08:12 4849776                    /lib64/libc-2.19.so
7fb62b6e3000-7fb62b8e2000 ---p 0019e000 08:12 4849776                    /lib64/libc-2.19.so
7fb62b8e2000-7fb62b8e6000 r--p 0019d000 08:12 4849776                    /lib64/libc-2.19.so
7fb62b8e6000-7fb62b8e8000 rw-p 001a1000 08:12 4849776                    /lib64/libc-2.19.so
7fb62b8e8000-7fb62b8ec000 rw-p 00000000 00:00 0
7fb62b8ec000-7fb62b904000 r-xp 00000000 08:12 4849837                    /lib64/libpthread-2.19.so
7fb62b904000-7fb62bb03000 ---p 00018000 08:12 4849837                    /lib64/libpthread-2.19.so
7fb62bb03000-7fb62bb04000 r--p 00017000 08:12 4849837                    /lib64/libpthread-2.19.so
7fb62bb04000-7fb62bb05000 rw-p 00018000 08:12 4849837                    /lib64/libpthread-2.19.so
7fb62bb05000-7fb62bb09000 rw-p 00000000 00:00 0
7fb62bb09000-7fb62bb29000 r-xp 00000000 08:12 4849854                    /lib64/ld-2.19.so
7fb62bb8a000-7fb62bbc9000 r--p 00000000 08:12 1443509                    /usr/lib/locale/en_US.utf8/LC_CTYPE
7fb62bbc9000-7fb62bcf9000 r--p 00000000 08:12 1443508                    /usr/lib/locale/en_US.utf8/LC_COLLATE
7fb62bcf9000-7fb62bcfc000 rw-p 00000000 00:00 0
7fb62bd16000-7fb62bd17000 rw-p 00000000 00:00 0
7fb62bd17000-7fb62bd18000 r--p 00000000 08:12 1443514                    /usr/lib/locale/en_US.utf8/LC_NUMERIC
7fb62bd18000-7fb62bd19000 r--p 00000000 08:12 1452546                    /usr/lib/locale/en_US.utf8/LC_TIME
7fb62bd19000-7fb62bd1a000 r--p 00000000 08:12 1451638                    /usr/lib/locale/en_US.utf8/LC_MONETARY
7fb62bd1a000-7fb62bd1b000 r--p 00000000 08:12 1442778                    /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
7fb62bd1b000-7fb62bd1c000 r--p 00000000 08:12 1442897                    /usr/lib/locale/en_US.utf8/LC_PAPER
7fb62bd1c000-7fb62bd1d000 r--p 00000000 08:12 1442867                    /usr/lib/locale/en_US.utf8/LC_NAME
7fb62bd1d000-7fb62bd1e000 r--p 00000000 08:12 1450759                    /usr/lib/locale/en_US.utf8/LC_ADDRESS
7fb62bd1e000-7fb62bd1f000 r--p 00000000 08:12 1443044                    /usr/lib/locale/en_US.utf8/LC_TELEPHONE
7fb62bd1f000-7fb62bd20000 r--p 00000000 08:12 1442888                    /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
7fb62bd20000-7fb62bd27000 r--s 00000000 08:12 1461736                    /usr/lib64/gconv/gconv-modules.cache
7fb62bd27000-7fb62bd28000 r--p 00000000 08:12 1451639                    /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7fb62bd28000-7fb62bd29000 rw-p 00000000 00:00 0
7fb62bd29000-7fb62bd2a000 r--p 00020000 08:12 4849854                    /lib64/ld-2.19.so
7fb62bd2a000-7fb62bd2b000 rw-p 00021000 08:12 4849854                    /lib64/ld-2.19.so
7fb62bd2b000-7fb62bd2c000 rw-p 00000000 00:00 0
7fff027c9000-7fff027eb000 rw-p 00000000 00:00 0                          [stack]
7fff027fc000-7fff027fe000 r-xp 00000000 00:00 0                          [vdso]
7fff027fe000-7fff02800000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Abgebrochen
Comment 1 Chenzi Cao 2015-04-28 09:28:03 UTC
Hi Andreas, would you please help to have a look at here? I'm not sure whether it is right to assign it to you, please feel free to reassign whenever necessary, thank you!
Comment 2 Forgotten User VLQiF8xTNe 2015-05-04 08:36:40 UTC
Created attachment 633117 [details]
produces sort error on 32bit (withLANG=en_US.UTF-8  sort -f)
Comment 3 Forgotten User VLQiF8xTNe 2015-05-04 08:42:43 UTC
(In reply to Timo Böhme from comment #2)
> Created attachment 633117 [details]
> produces sort error on 32bit (withLANG=en_US.UTF-8  sort -f)

Now I had the same error as described above with 32bit, but another file to sort (see attachment) is needed to trigger it. It appears the UTF-8 LATIN SMALL LETTER ALPHA (c9 91) is one part of the problem (in both files to sort). With additional checks I found that the other characters may be any ASCII ones, only the character count is important (remove/add a character and the problem disappears).

Here the error output from LANG=en_US.UTF-8 sort -f problem_sort_32bit.txt
on a 32bit OpenSuSe:
% LANG=en_US.UTF-8 sort -f problem_sort_32bit.txt
*** Error in `sort': double free or corruption (!prev): 0x083fed70 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6cdf3)[0xb757cdf3]
/lib/libc.so.6(+0x72f3a)[0xb7582f3a]
/lib/libc.so.6(+0x73b9d)[0xb7583b9d]
sort[0x8051051]
sort[0x804f3bd]
sort[0x80523f8]
sort[0x804bfaf]
/lib/libc.so.6(__libc_start_main+0xf3)[0xb7529993]
sort[0x804d115]
======= Memory map: ========
08048000-08063000 r-xp 00000000 08:07 921969     /usr/bin/sort
08063000-08064000 r--p 0001a000 08:07 921969     /usr/bin/sort
08064000-08065000 rw-p 0001b000 08:07 921969     /usr/bin/sort
083fa000-0841b000 rw-p 00000000 00:00 0          [heap]
b7358000-b7373000 r-xp 00000000 08:07 1060218    /lib/libgcc_s.so.1
b7373000-b7374000 r--p 0001a000 08:07 1060218    /lib/libgcc_s.so.1
b7374000-b7375000 rw-p 0001b000 08:07 1060218    /lib/libgcc_s.so.1
b73a0000-b73df000 r--p 00000000 08:07 1705521    /usr/lib/locale/en_US.utf8/LC_CTYPE
b73df000-b750f000 r--p 00000000 08:07 1705519    /usr/lib/locale/en_US.utf8/LC_COLLATE
b750f000-b7510000 rw-p 00000000 00:00 0
b7510000-b76b6000 r-xp 00000000 08:07 1059966    /lib/libc-2.19.so
b76b6000-b76b8000 r--p 001a6000 08:07 1059966    /lib/libc-2.19.so
b76b8000-b76b9000 rw-p 001a8000 08:07 1059966    /lib/libc-2.19.so
b76b9000-b76bc000 rw-p 00000000 00:00 0
b76bc000-b76d4000 r-xp 00000000 08:07 1088299    /lib/libpthread-2.19.so
b76d4000-b76d5000 r--p 00017000 08:07 1088299    /lib/libpthread-2.19.so
b76d5000-b76d6000 rw-p 00018000 08:07 1088299    /lib/libpthread-2.19.so
b76d6000-b76d8000 rw-p 00000000 00:00 0
b76f1000-b76f2000 rw-p 00000000 00:00 0
b76f2000-b76f3000 r--p 00000000 08:07 1726581    /usr/lib/locale/en_US.utf8/LC_NUMERIC
b76f3000-b76f4000 r--p 00000000 08:07 1596041    /usr/lib/locale/en_US.utf8/LC_TIME
b76f4000-b76f5000 r--p 00000000 08:07 1575647    /usr/lib/locale/en_US.utf8/LC_MONETARY
b76f5000-b76f6000 r--p 00000000 08:07 1705679    /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b76f6000-b76f7000 r--p 00000000 08:07 1731923    /usr/lib/locale/en_US.utf8/LC_PAPER
b76f7000-b76f8000 r--p 00000000 08:07 1705619    /usr/lib/locale/en_US.utf8/LC_NAME
b76f8000-b76f9000 r--p 00000000 08:07 1575643    /usr/lib/locale/en_US.utf8/LC_ADDRESS
b76f9000-b76fa000 r--p 00000000 08:07 1705681    /usr/lib/locale/en_US.utf8/LC_TELEPHONE
b76fa000-b76fb000 r--p 00000000 08:07 1705678    /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
b76fb000-b7702000 r--s 00000000 08:07 923094     /usr/lib/gconv/gconv-modules.cache
b7702000-b7703000 r--p 00000000 08:07 1575646    /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
b7703000-b7704000 rw-p 00000000 00:00 0
b7704000-b7705000 r-xp 00000000 00:00 0          [vdso]
b7705000-b7707000 r--p 00000000 00:00 0          [vvar]
b7707000-b7727000 r-xp 00000000 08:07 1059909    /lib/ld-2.19.so
b7727000-b7728000 r--p 00020000 08:07 1059909    /lib/ld-2.19.so
b7728000-b7729000 rw-p 00021000 08:07 1059909    /lib/ld-2.19.so
bfac9000-bfaea000 rw-p 00000000 00:00 0          [stack]
Abgebrochen
Comment 4 Philipp Thomas 2015-05-06 09:59:15 UTC
Berny, could you have a look?
Comment 5 Bernhard Voelker 2015-05-08 08:20:21 UTC
Sure, nice riddle for the weekend.
Quick search: crash in (downstream-patched) sort.c:4619:
  free (buf.buf);
Comment 6 Bernhard Wiedemann 2015-05-12 17:00:22 UTC
This is an autogenerated message for OBS integration:
This bug (928749) was mentioned in
https://build.opensuse.org/request/show/306596 13.2 / coreutils-testsuite+coreutils
Comment 7 Bernhard Wiedemann 2015-05-13 10:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (928749) was mentioned in
https://build.opensuse.org/request/show/306722 Factory / coreutils
Comment 9 Alexander Bergmann 2015-05-20 11:53:10 UTC
CVE-2015-4041:

https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940

    src/sort.c (keycompare_mb) ... The current implementation is character
    based, so we allocate the worst case size for the conversion buffer,
    which is MB_CUR_MAX for each input byte.


CVE-2015-4042:

https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940

    There is also a theoretical buffer overflow with data around
    SIZE_MAX/2.
Comment 10 Swamp Workflow Management 2015-05-24 15:05:04 UTC
openSUSE-SU-2015:0930-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 928749
CVE References: CVE-2013-0221,CVE-2013-0222,CVE-2013-0223
Sources used:
openSUSE 13.2 (src):    coreutils-8.23-2.9.1, coreutils-testsuite-8.23-2.9.1
Comment 11 Andreas Stieger 2015-05-25 06:22:47 UTC
released
Comment 12 Bernhard Wiedemann 2015-06-04 12:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (928749) was mentioned in
https://build.opensuse.org/request/show/310291 13.2 / coreutils-testsuite+coreutils
Comment 13 Swamp Workflow Management 2015-06-12 19:06:01 UTC
openSUSE-SU-2015:1059-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 928749,933396
CVE References: CVE-2015-4041,CVE-2015-4042
Sources used:
openSUSE 13.2 (src):    coreutils-8.23-2.12.1, coreutils-testsuite-8.23-2.12.1
Comment 14 Swamp Workflow Management 2015-09-25 13:16:22 UTC
SUSE-SU-2015:1637-1: An update that solves two vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 866010,901905,907290,921559,928749,930565,933396
CVE References: CVE-2015-4041,CVE-2015-4042
Sources used:
SUSE Linux Enterprise Server 12 (src):    coreutils-8.22-9.1
SUSE Linux Enterprise Desktop 12 (src):    coreutils-8.22-9.1
Comment 15 Swamp Workflow Management 2015-12-02 13:44:29 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-12-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62363
Comment 16 SMASH SMASH 2015-12-02 13:44:47 UTC
An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 16, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/62363/.
Comment 26 Marcus Meissner 2020-08-13 12:16:05 UTC
released