diff options
author | Mike Crowe <mac@mcrowe.com> | 2023-10-05 21:40:30 +0100 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-10-06 05:41:57 -1000 |
commit | 278d77034e08df0d49860705aa72d91e4af73d61 (patch) | |
tree | 30e6edd3ed7bed0755584827c41aa5d31695e153 | |
parent | c0535262c8799c687fb0d5bdd7d1182ce768e3d5 (diff) | |
download | poky-278d77034e08df0d49860705aa72d91e4af73d61.tar.gz |
glibc: Fix CVE-2023-4911 "Looney Tunables"
Take the patch from the source for Debian's glibc 2.31-13+deb11u7
package, the changelog for which starts with:
glibc (2.31-13+deb11u7) bullseye-security; urgency=medium
* debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the
dynamic loader's processing of the GLIBC_TUNABLES environment variable
(CVE-2023-4911).
This addresses the "Looney Tunables" vulnerability described at
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
(From OE-Core rev: 9a800a2e2c2b14eab8c1f83cb4ac3b94a70dd23c)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2023-4911.patch | 63 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.31.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch new file mode 100644 index 0000000000..4d3146509a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001 | ||
2 | From: Siddhesh Poyarekar <siddhesh@redhat.com> | ||
3 | Date: Mon, 11 Sep 2023 18:53:15 -0400 | ||
4 | Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached | ||
5 | |||
6 | The string parsing routine may end up writing beyond bounds of tunestr | ||
7 | if the input tunable string is malformed, of the form name=name=val. | ||
8 | This gets processed twice, first as name=name=val and next as name=val, | ||
9 | resulting in tunestr being name=name=val:name=val, thus overflowing | ||
10 | tunestr. | ||
11 | |||
12 | Terminate the parsing loop at the first instance itself so that tunestr | ||
13 | does not overflow. | ||
14 | --- | ||
15 | Changes from v1: | ||
16 | |||
17 | - Also null-terminate tunestr before exiting. | ||
18 | |||
19 | elf/dl-tunables.c | 17 ++++++++++------- | ||
20 | 1 file changed, 10 insertions(+), 7 deletions(-) | ||
21 | |||
22 | Upstream-Status: Backport [git://sourceware.org/git/glibc.git] | ||
23 | CVE: CVE-2023-4911 | ||
24 | |||
25 | diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c | ||
26 | index 8e7ee9df10..76cf8b9da3 100644 | ||
27 | --- a/elf/dl-tunables.c | ||
28 | +++ b/elf/dl-tunables.c | ||
29 | @@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) | ||
30 | /* If we reach the end of the string before getting a valid name-value | ||
31 | pair, bail out. */ | ||
32 | if (p[len] == '\0') | ||
33 | - { | ||
34 | - if (__libc_enable_secure) | ||
35 | - tunestr[off] = '\0'; | ||
36 | - return; | ||
37 | - } | ||
38 | + break; | ||
39 | |||
40 | /* We did not find a valid name-value pair before encountering the | ||
41 | colon. */ | ||
42 | @@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) | ||
43 | } | ||
44 | } | ||
45 | |||
46 | - if (p[len] != '\0') | ||
47 | - p += len + 1; | ||
48 | + /* We reached the end while processing the tunable string. */ | ||
49 | + if (p[len] == '\0') | ||
50 | + break; | ||
51 | + | ||
52 | + p += len + 1; | ||
53 | } | ||
54 | + | ||
55 | + /* Terminate tunestr before we leave. */ | ||
56 | + if (__libc_enable_secure) | ||
57 | + tunestr[off] = '\0'; | ||
58 | } | ||
59 | #endif | ||
60 | |||
61 | -- | ||
62 | 2.41.0 | ||
63 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 8d216f6ed1..1862586749 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb | |||
@@ -80,6 +80,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
80 | file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ | 80 | file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ |
81 | file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ | 81 | file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ |
82 | file://CVE-2023-0687.patch \ | 82 | file://CVE-2023-0687.patch \ |
83 | file://CVE-2023-4911.patch \ | ||
83 | " | 84 | " |
84 | S = "${WORKDIR}/git" | 85 | S = "${WORKDIR}/git" |
85 | B = "${WORKDIR}/build-${TARGET_SYS}" | 86 | B = "${WORKDIR}/build-${TARGET_SYS}" |