Move CVE information into advisories directory
Checks
Context |
Check |
Description |
redhat-pt-bot/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 |
success
|
Testing passed
|
redhat-pt-bot/TryBot-32bit |
success
|
Build for i686
|
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 |
success
|
Testing passed
|
linaro-tcwg-bot/tcwg_glibc_build--master-arm |
success
|
Testing passed
|
linaro-tcwg-bot/tcwg_glibc_check--master-arm |
success
|
Testing passed
|
Commit Message
One of the requirements to becoming a CVE Numbering Authority (CNA) is
to publish advisories. Do this by maintaining a file for each CVE fixed
in the advisories directory in the source tree. Links to the advisories
can then be shared as:
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/CVE-YYYY-NNNN
In future, backports up to glibc 2.39 should also include backport of
the relevant advisory file.
The file format at the moment is rudimentary and derives from the git
commit format, i.e. a subject line and a potentially multi-paragraph
description and then tags to describe some meta information. This is a
loose format at the moment and could change as we evolve this.
Also add a script process-fixed-cves.sh that processes these advisories
and generates a list to add to NEWS at release time.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
Once this has consensus, I'll generate advisory files for all CVEs up to
v2.34 on the master branch. I'll post a separate patch for older
branches up to 2.34, since they will have a different Fixed-by and
probably shouldn't include Fixed-releases:.
NEWS | 24 +++++-------------------
advisories/CVE-2023-4527 | 12 ++++++++++++
advisories/CVE-2023-4806 | 10 ++++++++++
advisories/CVE-2023-4911 | 11 +++++++++++
advisories/CVE-2023-5156 | 10 ++++++++++
scripts/process-fixed-cves.sh | 34 ++++++++++++++++++++++++++++++++++
6 files changed, 82 insertions(+), 19 deletions(-)
create mode 100644 advisories/CVE-2023-4527
create mode 100644 advisories/CVE-2023-4806
create mode 100644 advisories/CVE-2023-4911
create mode 100644 advisories/CVE-2023-5156
create mode 100755 scripts/process-fixed-cves.sh
Comments
* Siddhesh Poyarekar:
> One of the requirements to becoming a CVE Numbering Authority (CNA) is
> to publish advisories. Do this by maintaining a file for each CVE fixed
> in the advisories directory in the source tree. Links to the advisories
> can then be shared as:
>
> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/CVE-YYYY-NNNN
I think we should use our own identifiers (GLIBC-SA-2023-001 etc.)
instead of CVE IDs. CVE IDs can change due to duplicates, typos that
lead to rejection etc., and I don't think Gitweb follows symbolic links
in the repository (and we shouldn't check them in anyway because they
are confusing).
> In future, backports up to glibc 2.39 should also include backport of
> the relevant advisory file.
Should we replace the directory with a reference to the master branch
upon branching for the release? This way, the information is just in
one place.
> diff --git a/advisories/CVE-2023-4527 b/advisories/CVE-2023-4527
> new file mode 100644
> index 0000000000..9bb4957501
> --- /dev/null
> +++ b/advisories/CVE-2023-4527
> @@ -0,0 +1,12 @@
> +getaddrinfo: Stack read overflow in no-aaaa mode
> +
> +If the system is configured in no-aaaa mode via /etc/resolv.conf,
> +getaddrinfo is called for the AF_UNSPEC address family, and a DNS
> +response is received over TCP that is larger than 2048 bytes,
> +getaddrinfo may potentially disclose stack contents via the returned
> +address data, or crash.
Should we add a little bit more information? An initial paragraph like
this?
This vulnerability affects the DNS client implementation in glibc.
This component is responsible for translating DNS host names to
addresses and back. The vulnerability is in the NSS part of the DNS
client. Applications which call the getaddrinfo function are
potentially impacted, but the older name resolution interfaces and
the res_* family of functions are not affected.
And then as a third paragraph:
The no-aaaa functionality was introduced in glibc 2.36. Previous
versions ignore the no-aaaa option if is present in /etc/resolv.conf.
And maybe even quote a vulnerable configuration snippet?
> +Public-date: 2023-09-12
> +Vulnerable-since: f282cdbe7f436c75864e5640a409a10485e9abb2
> +Fixed-by: bd77dd7e73e3530203be1c52c8a29d08270cb25d
> +Fixed-releases: 2.36, 2.37, 2.38, 2.39
CVE IDs should be repeated in the file itself.
It would be nice to note that f282cdbe7f436c75864e5640a409a10485e9abb2
is part of the 2.36 release.
> diff --git a/advisories/CVE-2023-5156 b/advisories/CVE-2023-5156
> new file mode 100644
> index 0000000000..5493453bec
> --- /dev/null
> +++ b/advisories/CVE-2023-5156
> @@ -0,0 +1,10 @@
> +getaddrinfo: DoS due to memory leak
> +
> +The fix for CVE-2023-4806 introduced a memory leak when an application
> +calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED
> +flags set.
> +
> +Public-date: 2023-09-25
> +Fixed-by: ec6b95c3303c700eb89eebeda2d7264cc184a796
> +Vulnerable-since: 973fe93a5675c42798b2161c6f29c01b0e243994
> +Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
> diff --git a/scripts/process-fixed-cves.sh b/scripts/process-fixed-cves.sh
> new file mode 100755
> index 0000000000..d066b8c919
> +prevrel=$(git tag | grep "glibc-2.[0-9]\+$" |
> + sort -n -t. -k 1,2nr -k 2,3nr | head -1)
I think this is slightly more robust:
git tag --sort=-taggerdate | grep '^glibc-2\.[0-9.]\+' | grep -v '\.9000$'
Thanks,
Florian
Thanks, I'll update and post a v2.
On 2023-11-08 12:32, Florian Weimer wrote:
> * Siddhesh Poyarekar:
>
>> One of the requirements to becoming a CVE Numbering Authority (CNA) is
>> to publish advisories. Do this by maintaining a file for each CVE fixed
>> in the advisories directory in the source tree. Links to the advisories
>> can then be shared as:
>>
>> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/CVE-YYYY-NNNN
>
> I think we should use our own identifiers (GLIBC-SA-2023-001 etc.)
> instead of CVE IDs. CVE IDs can change due to duplicates, typos that
> lead to rejection etc., and I don't think Gitweb follows symbolic links
> in the repository (and we shouldn't check them in anyway because they
> are confusing).
OK, I can add glibc-specific IDs.
>> In future, backports up to glibc 2.39 should also include backport of
>> the relevant advisory file.
>
> Should we replace the directory with a reference to the master branch
> upon branching for the release? This way, the information is just in
> one place.
That'll make things easy, I agree. This could be scripted on release.
>> diff --git a/advisories/CVE-2023-4527 b/advisories/CVE-2023-4527
>> new file mode 100644
>> index 0000000000..9bb4957501
>> --- /dev/null
>> +++ b/advisories/CVE-2023-4527
>> @@ -0,0 +1,12 @@
>> +getaddrinfo: Stack read overflow in no-aaaa mode
>> +
>> +If the system is configured in no-aaaa mode via /etc/resolv.conf,
>> +getaddrinfo is called for the AF_UNSPEC address family, and a DNS
>> +response is received over TCP that is larger than 2048 bytes,
>> +getaddrinfo may potentially disclose stack contents via the returned
>> +address data, or crash.
>
> Should we add a little bit more information? An initial paragraph like
> this?
>
> This vulnerability affects the DNS client implementation in glibc.
> This component is responsible for translating DNS host names to
> addresses and back. The vulnerability is in the NSS part of the DNS
> client. Applications which call the getaddrinfo function are
> potentially impacted, but the older name resolution interfaces and
> the res_* family of functions are not affected.
>
> And then as a third paragraph:
>
> The no-aaaa functionality was introduced in glibc 2.36. Previous
> versions ignore the no-aaaa option if is present in /etc/resolv.conf.
>
> And maybe even quote a vulnerable configuration snippet?
>
Sure, additional information would be great, would you be able to push a
patch with more information for CVE-2023-4527 on top of the advisory
file once I've committed this? I'll do the other 3.
>> +Public-date: 2023-09-12
>> +Vulnerable-since: f282cdbe7f436c75864e5640a409a10485e9abb2
>> +Fixed-by: bd77dd7e73e3530203be1c52c8a29d08270cb25d
>> +Fixed-releases: 2.36, 2.37, 2.38, 2.39
>
> CVE IDs should be repeated in the file itself.
Ack, and it will be necessary if the advisory files are of the form
GLIBC-SA-YYYY-NNNN.
>
> It would be nice to note that f282cdbe7f436c75864e5640a409a10485e9abb2
> is part of the 2.36 release.
Ack, I'll add a First-Vulnerable-release.
>> diff --git a/advisories/CVE-2023-5156 b/advisories/CVE-2023-5156
>> new file mode 100644
>> index 0000000000..5493453bec
>> --- /dev/null
>> +++ b/advisories/CVE-2023-5156
>> @@ -0,0 +1,10 @@
>> +getaddrinfo: DoS due to memory leak
>> +
>> +The fix for CVE-2023-4806 introduced a memory leak when an application
>> +calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED
>> +flags set.
>> +
>> +Public-date: 2023-09-25
>> +Fixed-by: ec6b95c3303c700eb89eebeda2d7264cc184a796
>> +Vulnerable-since: 973fe93a5675c42798b2161c6f29c01b0e243994
>> +Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
>> diff --git a/scripts/process-fixed-cves.sh b/scripts/process-fixed-cves.sh
>> new file mode 100755
>> index 0000000000..d066b8c919
>
>> +prevrel=$(git tag | grep "glibc-2.[0-9]\+$" |
>> + sort -n -t. -k 1,2nr -k 2,3nr | head -1)
>
> I think this is slightly more robust:
>
> git tag --sort=-taggerdate | grep '^glibc-2\.[0-9.]\+' | grep -v '\.9000$'
Thanks, and how about this as the format for the auto-generated NEWS clip:
GLIBC-SA-YYYY-NNNN:
CVE-YYYY-NNNN: One line description.
Thanks,
Sid
@@ -67,25 +67,11 @@ Changes to build and runtime requirements:
Security related changes:
- CVE-2023-4527: If the system is configured in no-aaaa mode via
- /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
- family, and a DNS response is received over TCP that is larger than
- 2048 bytes, getaddrinfo may potentially disclose stack contents via
- the returned address data, or crash.
-
- CVE-2023-4806: When an NSS plugin only implements the
- _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
- memory that was freed during buffer resizing, potentially causing a
- crash or read or write to arbitrary memory.
-
- CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
- an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
- AI_ALL and AI_V4MAPPED flags set.
-
- CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
- environment of a setuid program and NAME is valid, it may result in a
- buffer overflow, which could be exploited to achieve escalated
- privileges. This flaw was introduced in glibc 2.34.
+The following CVEs were fixed in this release, details of which can be
+found in the advisories directory of the release tarball:
+
+ [The release manager will add the list generated by
+ scripts/process-fixed-cves.sh just before the release.]
The following bugs are resolved with this release:
new file mode 100644
@@ -0,0 +1,12 @@
+getaddrinfo: Stack read overflow in no-aaaa mode
+
+If the system is configured in no-aaaa mode via /etc/resolv.conf,
+getaddrinfo is called for the AF_UNSPEC address family, and a DNS
+response is received over TCP that is larger than 2048 bytes,
+getaddrinfo may potentially disclose stack contents via the returned
+address data, or crash.
+
+Public-date: 2023-09-12
+Vulnerable-since: f282cdbe7f436c75864e5640a409a10485e9abb2
+Fixed-by: bd77dd7e73e3530203be1c52c8a29d08270cb25d
+Fixed-releases: 2.36, 2.37, 2.38, 2.39
new file mode 100644
@@ -0,0 +1,10 @@
+getaddrinfo: Potential use-after-free
+
+When an NSS plugin only implements the _gethostbyname2_r and
+_getcanonname_r callbacks, getaddrinfo could use memory that was freed
+during buffer resizing, potentially causing a crash or read or write to
+arbitrary memory.
+
+Public-date: 2023-09-12
+Fixed-by: 973fe93a5675c42798b2161c6f29c01b0e243994
+Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
new file mode 100644
@@ -0,0 +1,11 @@
+tunables: local privilege escalation through buffer overflow
+
+If a tunable of the form NAME=NAME=VAL is passed in the environment of a
+setuid program and NAME is valid, it may result in a buffer overflow,
+which could be exploited to achieve escalated privileges. This flaw was
+introduced in glibc 2.34.
+
+Public-date: 2023-10-03
+Vulnerable-since: 2ed18c5b534d9e92fc006202a5af0df6b72e7aca
+Fixed-by: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa
+Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
new file mode 100644
@@ -0,0 +1,10 @@
+getaddrinfo: DoS due to memory leak
+
+The fix for CVE-2023-4806 introduced a memory leak when an application
+calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED
+flags set.
+
+Public-date: 2023-09-25
+Fixed-by: ec6b95c3303c700eb89eebeda2d7264cc184a796
+Vulnerable-since: 973fe93a5675c42798b2161c6f29c01b0e243994
+Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
new file mode 100755
@@ -0,0 +1,34 @@
+#!/bin/bash -e
+# Copyright The GNU Toolchain Authors.
+# This file is part of the GNU C Library.
+#
+# The GNU C Library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# The GNU C Library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with the GNU C Library; if not, see
+# <https://www.gnu.org/licenses/>.
+
+git status > /dev/null 2>&1 ||
+ ( echo "error: Run this script from within the glibc git repository." &&
+ exit 1 )
+
+prevrel=$(git tag | grep "glibc-2.[0-9]\+$" |
+ sort -n -t. -k 1,2nr -k 2,3nr | head -1)
+
+if ! [ -e advisories ]; then
+ echo "error: Previous release tag not found. This script needs to be run"
+ echo " from the toplevel directory of the glibc repository."
+ exit 1
+fi
+
+git diff --name-only --stat ${prevrel}..HEAD -- advisories | while read f; do
+ echo "$(basename $f): $(head -1 $f)";
+done