Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: gl...@packages.debian.org Control: affects -1 + src:glibc
[ Reason ] A memory corruption was discovered in the glibc's qsort() function, due to missing bounds check and when called by a program with a non-transitive comparison function and a large number of attacker-controlled elements. As the use of qsort() with a non-transitive comparison function is undefined according to POSIX and ISO C standards, this is not considered a vulnerability in the glibc itself (hence no CVE number has been assigned). However as misbehaving callers seems to be relatively common, it is still a security issue and the qsort() function needs to be hardened against them. [ Impact ] Installations will be left vulnerable to the qsort() security issue. [ Tests ] There is no specific test added for that change, however there are a few upstream tests checking qsort(). [ Risks ] The code change is very simple, and has been reviewed as part of DSA-561-11. In addition a similar change went upstream a few weeks ago: https://sourceware.org/git/?p=glibc.git;a=commit;h=e4d8117b82065dc72e8df80097360e7c05a349b9 https://sourceware.org/git/?p=glibc.git;a=commit;h=b9390ba93676c4b1e87e218af5e7e4bb596312ac [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The change basically just add a bounds check to a test. This is what got uploaded in 2.36-9+deb12u4 for bookworm-security and 2.37-15 for unstable. [ Other info ] Given the limited changes, I have already uploaded the package to the archive. Thanks for considering.
diff -Nru glibc-2.31/debian/changelog glibc-2.31/debian/changelog --- glibc-2.31/debian/changelog 2023-10-02 22:22:57.000000000 +0200 +++ glibc-2.31/debian/changelog 2024-01-28 23:58:14.000000000 +0100 @@ -1,3 +1,10 @@ +glibc (2.31-13+deb11u8) bullseye; urgency=medium + + * debian/patches/any/local-qsort-memory-corruption.patch: Fix a memory + corruption in qsort() when using nontransitive comparison functions. + + -- Aurelien Jarno <aure...@debian.org> Sun, 28 Jan 2024 23:58:14 +0100 + glibc (2.31-13+deb11u7) bullseye-security; urgency=medium * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the diff -Nru glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch --- glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch 1970-01-01 01:00:00.000000000 +0100 +++ glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch 2024-01-28 23:58:14.000000000 +0100 @@ -0,0 +1,13 @@ +diff -rup a/stdlib/qsort.c b/stdlib/qsort.c +--- a/stdlib/qsort.c 2023-07-31 10:54:16.000000000 -0700 ++++ b/stdlib/qsort.c 2024-01-15 09:08:25.596167959 -0800 +@@ -224,7 +224,8 @@ _quicksort (void *const pbase, size_t to + while ((run_ptr += size) <= end_ptr) + { + tmp_ptr = run_ptr - size; +- while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0) ++ while (tmp_ptr != base_ptr ++ && (*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0) + tmp_ptr -= size; + + tmp_ptr += size; diff -Nru glibc-2.31/debian/patches/series glibc-2.31/debian/patches/series --- glibc-2.31/debian/patches/series 2023-10-02 22:18:17.000000000 +0200 +++ glibc-2.31/debian/patches/series 2024-01-28 23:58:14.000000000 +0100 @@ -170,3 +170,4 @@ any/git-ld.so-cache-endianness-markup.diff any/local-CVE-2021-33574-mq_notify-use-after-free.diff any/local-CVE-2023-4911.patch +any/local-qsort-memory-corruption.patch