From: Mike Crowe <m...@mcrowe.com> Take the patch from the source for Debian's glibc 2.31-13+deb11u7 package, the changelog for which starts with:
glibc (2.31-13+deb11u7) bullseye-security; urgency=medium * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the dynamic loader's processing of the GLIBC_TUNABLES environment variable (CVE-2023-4911). This addresses the "Looney Tunables" vulnerability described at https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt Signed-off-by: Mike Crowe <m...@mcrowe.com> --- .../glibc/glibc/CVE-2023-4911.patch | 63 +++++++++++++++++++ meta/recipes-core/glibc/glibc_2.31.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2023-4911.patch Hopefully sent by a route that doesn't corrupt the whitespace this time. diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch new file mode 100644 index 0000000000..4d3146509a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch @@ -0,0 +1,63 @@ +From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddh...@redhat.com> +Date: Mon, 11 Sep 2023 18:53:15 -0400 +Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached + +The string parsing routine may end up writing beyond bounds of tunestr +if the input tunable string is malformed, of the form name=name=val. +This gets processed twice, first as name=name=val and next as name=val, +resulting in tunestr being name=name=val:name=val, thus overflowing +tunestr. + +Terminate the parsing loop at the first instance itself so that tunestr +does not overflow. +--- +Changes from v1: + +- Also null-terminate tunestr before exiting. + + elf/dl-tunables.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] +CVE: CVE-2023-4911 + +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index 8e7ee9df10..76cf8b9da3 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) + /* If we reach the end of the string before getting a valid name-value + pair, bail out. */ + if (p[len] == '\0') +- { +- if (__libc_enable_secure) +- tunestr[off] = '\0'; +- return; +- } ++ break; + + /* We did not find a valid name-value pair before encountering the + colon. */ +@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) + } + } + +- if (p[len] != '\0') +- p += len + 1; ++ /* We reached the end while processing the tunable string. */ ++ if (p[len] == '\0') ++ break; ++ ++ p += len + 1; + } ++ ++ /* Terminate tunestr before we leave. */ ++ if (__libc_enable_secure) ++ tunestr[off] = '\0'; + } + #endif + +-- +2.41.0 + diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 8d216f6ed1..1862586749 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb @@ -80,6 +80,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ file://CVE-2023-0687.patch \ + file://CVE-2023-4911.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" -- 2.39.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188738): https://lists.openembedded.org/g/openembedded-core/message/188738 Mute This Topic: https://lists.openembedded.org/mt/101785197/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-