An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc’s iconv library. When converting from UCS4 charset, adding certain escape charterers is required to indicate where the charset was changed to the library. During this process, iconv improperly checks the boundaries of internal buffers, leading to a buffer overflow, which allows writing up to 3 bytes outside the desired memory location. This issue may allow an attacker to craft a malicious characters sequence that will trigger the out-of-bounds write and perform remote code execution, presenting a high impact to the Integrity, Confidentiality, and Availability triad.

Mitigation

This issue can be mitigated by removing the ISO-2022-CN-EXT from glibc-gconv-extra's modules configuration. This can be done by:

1. Verify if the module is loaded by running:

   $ iconv -l | grep -E ‘CN-?EXT’
   ISO-2022-CN-EXT//
   ISO2022CNEXT//

If the grep output looks like the above, ISO-2022-CN-EXT module is enabled.

2. Disabled the module by editing the file located at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf and comment the following lines. For RHEL 7 the file that needs to be edited is /usr/lib64/gconv/gconv-modules. This step requires to be executed by a privileged user:

   from to module cost

   alias ISO2022CNEXT// ISO-2022-CN-EXT//
   module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1
   module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1

For commenting those lines just add the '#' character at the beginning of mentioned lines:

#       from                    to                      module          cost  
#alias  ISO2022CNEXT//          ISO-2022-CN-EXT//  
#module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1  
#module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1  

3. Update the iconv cache by running:

   sudo iconvconfig

4. Check if the module was disabled by running the first step again. This time ISO-2022-CN-EXT should not appear in the output.

Please notice that disabling the mentioned gconv module may lead applications relying in the affected module to fail in converting characters and should be used as a temporary mitigation before being able to fully update the affected package.