Bug 569763 (CVE-2020-27221) - Stack buffer overflow
Summary: Stack buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2020-27221
Product: openj9
Classification: Technology
Component: General (show other bugs)
Version: unspecified   Edit
Hardware: All Unix All
: P3 normal
Target Milestone: ---   Edit
Assignee: Project Inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-12-16 19:10 EST by Peter Shipton CLA
Modified: 2021-02-18 17:33 EST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Shipton CLA 2020-12-16 19:10:22 EST 

    


    


      



        
          Comment 1
        

        
          Peter Shipton CLA

        

        
        

        
          2020-12-16 20:14:06 EST
        

      






project: Eclipse OpenJ9
versions: initial - 0.23

cwe: CWE-121
https://cwe.mitre.org/data/definitions/121.html
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

summary:
In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are using OMR and converting from UTF-8 characters to platform encoding.

    


    


      



        
          Comment 2
        

        
          Peter Shipton CLA

        

        
        

        
          2020-12-16 21:36:58 EST
        

      






project: Eclipse OpenJ9
versions: initial - 0.23

cwe: CWE-121
https://cwe.mitre.org/data/definitions/121.html
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

summary:
In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.

    


    


      



        
          Comment 3
        

        
          Wayne Beaton CLA

        

        
        

        
          2021-01-20 23:53:07 EST
        

      






I've assigned CVE-2020-27221.

I've sent a pull request to the central authority:

https://github.com/CVEProject/cvelist/pull/628

    


    


      



        
          Comment 4
        

        
          Peter Shipton CLA

        

        
        

        
          2021-02-18 16:33:35 EST
        

      






I've noticed that https://nvd.nist.gov/vuln/detail/CVE-2020-27221 indicates versions "Up to (excluding) 0.23.0" are affected. However 0.23.0 is affected as indicated by "versions: initial - 0.23". Should https://github.com/CVEProject/cvelist/pull/628/files be clarified? Is there a way to correct this?

    


    


      



        
          Comment 5
        

        
          Wayne Beaton CLA

        

        
        

        
          2021-02-18 17:33:36 EST
        

      






I am not aware of the mechanism through which NIST processes the CVE data that we provide, so I'm not sure how they decided to inject the "excluding" part. My best guess is that somebody was confused and made a call without following the links back to here to ask for clarification. I'll add investigating this to my list.

In the meantime, I'm thinking that our best bet is to be very precise when we describe versions, so I've updated the CVE report to indicate that the version range is "<= 0.23" and modified the text of the description to say "up to and including".

https://github.com/CVEProject/cvelist/pull/880