glibc: Fix CVE-2023-4911 "Looney Tunables"

Take the patch from the source for Debian's glibc 2.31-13+deb11u7 package, the changelog for which starts with: glibc (2.31-13+deb11u7) bullseye-security; urgency=medium * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the dynamic loader's processing of the GLIBC_TUNABLES environment variable (CVE-2023-4911). This addresses the "Looney Tunables" vulnerability described at https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt (From OE-Core rev: 9a800a2e2c2b14eab8c1f83cb4ac3b94a70dd23c) Signed-off-by: Mike Crowe <mac@mcrowe.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Mike Crowe <mac@mcrowe.com> 2023-10-05 21:40:30 +0100
committer: Steve Sakoman <steve@sakoman.com> 2023-10-06 05:41:57 -1000
commit: 278d77034e08df0d49860705aa72d91e4af73d61 (patch)
tree: 30e6edd3ed7bed0755584827c41aa5d31695e153 /meta/recipes-core/glibc/glibc_2.31.bb
parent: c0535262c8799c687fb0d5bdd7d1182ce768e3d5 (diff)
download: poky-278d77034e08df0d49860705aa72d91e4af73d61.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 8d216f6ed1..1862586749 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -80,6 +80,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
           file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \
           file://CVE-2023-0687.patch \
+           file://CVE-2023-4911.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Mike Crowe <mac@mcrowe.com>	2023-10-05 21:40:30 +0100
committer	Steve Sakoman <steve@sakoman.com>	2023-10-06 05:41:57 -1000
commit	278d77034e08df0d49860705aa72d91e4af73d61 (patch)
tree	30e6edd3ed7bed0755584827c41aa5d31695e153 /meta/recipes-core/glibc/glibc_2.31.bb
parent	c0535262c8799c687fb0d5bdd7d1182ce768e3d5 (diff)
download	poky-278d77034e08df0d49860705aa72d91e4af73d61.tar.gz

diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 8d216f6ed1..1862586749 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -80,6 +80,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
80	file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \	80	file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
81	file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \	81	file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \
82	file://CVE-2023-0687.patch \	82	file://CVE-2023-0687.patch \
		83	file://CVE-2023-4911.patch \
83	"	84	"
84	S = "${WORKDIR}/git"	85	S = "${WORKDIR}/git"
85	B = "${WORKDIR}/build-${TARGET_SYS}"	86	B = "${WORKDIR}/build-${TARGET_SYS}"