From patchwork Wed Nov 8 16:45:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 79435 X-Patchwork-Delegate: fweimer@redhat.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 153BC385696A for ; Wed, 8 Nov 2023 16:46:01 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 153BC385696A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1699461961; bh=5gUCe6HHUUlaGjcGYMUafHCnerKzf0pM4zC18nqyr6g=; h=From:To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=sMRj9Mp3RCVoJmniLIKbugnCEKQ41NC3R0cTB6EQM9gJzellX/aqAJ4Xzlic8BNQl syfQ9DeDJhXlEJ7ZbSPVi4sC0VfnWKL53KUI8a5tom3dGw8Gvbe4gZVNCS67n4hPgk QUxva8FsDBUj7iaCJVuF2qeRzkSGav07UfXw1Tto= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from antelope.elm.relay.mailchannels.net (antelope.elm.relay.mailchannels.net [23.83.212.4]) by sourceware.org (Postfix) with ESMTPS id E9D2D3858C54 for ; Wed, 8 Nov 2023 16:45:31 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E9D2D3858C54 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org E9D2D3858C54 Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.212.4 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1699461935; cv=pass; b=vOnGUDnioyIrCLF2DsrOwwTnwJ02dyUSDyjv7YnLHTItBnHC84FibXDporSJ9nWvsyt7aeV3bQ1DXFk1fOJy2jPY5S1ZxhSxW7vQmGFzisBxDrvMJQ4B0zErBh6YvWKVl8d3kVwrsoeKRUqbn6a4+yoPE+sO3UqxE0skxT5if4I= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1699461935; c=relaxed/simple; bh=9AfmOvkbzxbDMhep680Rf4WfHugp5bSxaXr8yr4jcU8=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=w0r7Mbw7zEWiUFPDciNwQ7WzgM/pBfMomzzwBCOO+lko3btnIrXr3MMECQi1h0Vxf9hV8a4xSzRywdqfRyt+oOYsolVUVl41btDEq8Y6ITAbBnySxFIHii9+S8/W0IE4hqwzlYTMA07A6Vd3EAk6ymtU0H7TaU6XJ+EORO2EiH0= ARC-Authentication-Results: i=2; server2.sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id CD4D9761D86; Wed, 8 Nov 2023 16:45:30 +0000 (UTC) Received: from pdx1-sub0-mail-a259.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 22CBE761E79; Wed, 8 Nov 2023 16:45:29 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1699461929; a=rsa-sha256; cv=none; b=nyuRt0pkqgLQMTEZ9JuUDMCpPkltYXDEZu15CW/LFR7gAm1lQmH5w9qippSlh64VMrl8Rc ZSWFNCbYNiB7FeImjfZUZjz8F+Uc1lLxhdO+CTpFizQJz0uF7Tc20sql/IsW1lTz8YNVfN w46U4i8FKI0x7UzpNvah1lnNbVJgc7pay1LdFw+V9GkwwQhMdnjnxMO3TBhYoxyZ/cZk0s adpqTe4Xb1ogK1Tavy5uxGH+wHY7u3XtZ/0z0Go9yUhxUM8y3rdRgiZ2r23Bfu5purT8+j KKDP7+oN6vbrWyjfZtupwl1LTUxQmY0uM6oEZO5PaTYfBbtsMtu5BpXmLjFbnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1699461929; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=5gUCe6HHUUlaGjcGYMUafHCnerKzf0pM4zC18nqyr6g=; b=R6tlaHG8Jkt+BYRu/4D3thYAg13zk3O7Bbbr5dbwAuT2jQNTSPvt5OHm0Lvnn+dQOOpOzI a7DZbT4wD26TKUPhR9es46SjSl3jXymKXn1Z839B7GKV+zaEPSHOT7t1LvfeRJwrw8bZLG 2eHlsFE8jBLobZl2bjLOqJZM6H+bx7Xds9q/VApMCzjXwmSFeYLbuo+1DTF9ELwMvS5nNG TZlNA6uPryw2yjFvovnIpA/RqIIQPibERWSgAerfEYCjYbQowoKiAFVqNB8eOKv9VeWXzb hqg8sJPvTIpc+wiJE63LKStIqci3t1Q+R0/fscasvMW83ZDRbA/LaO2rWmWxOQ== ARC-Authentication-Results: i=1; rspamd-6c48c794c6-j4fwm; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Fearful-Wipe: 143614455b9a68de_1699461929309_867512293 X-MC-Loop-Signature: 1699461929309:367606394 X-MC-Ingress-Time: 1699461929309 Received: from pdx1-sub0-mail-a259.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.101.197.100 (trex/6.9.2); Wed, 08 Nov 2023 16:45:29 +0000 Received: from fedora.redhat.com (bras-vprn-toroon4834w-lp130-02-142-113-138-136.dsl.bell.ca [142.113.138.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a259.dreamhost.com (Postfix) with ESMTPSA id 4SQWD84KR3z3Q; Wed, 8 Nov 2023 08:45:28 -0800 (PST) From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: carlos@redhat.com, adhemerval.zanella@redhat.com, fweimer@redhat.com Subject: [PATCH] Move CVE information into advisories directory Date: Wed, 8 Nov 2023 11:45:20 -0500 Message-ID: <20231108164520.224489-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-Spam-Status: No, score=-1172.0 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_LOTSOFHASH, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org One of the requirements to becoming a CVE Numbering Authority (CNA) is to publish advisories. Do this by maintaining a file for each CVE fixed in the advisories directory in the source tree. Links to the advisories can then be shared as: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/CVE-YYYY-NNNN In future, backports up to glibc 2.39 should also include backport of the relevant advisory file. The file format at the moment is rudimentary and derives from the git commit format, i.e. a subject line and a potentially multi-paragraph description and then tags to describe some meta information. This is a loose format at the moment and could change as we evolve this. Also add a script process-fixed-cves.sh that processes these advisories and generates a list to add to NEWS at release time. Signed-off-by: Siddhesh Poyarekar --- Once this has consensus, I'll generate advisory files for all CVEs up to v2.34 on the master branch. I'll post a separate patch for older branches up to 2.34, since they will have a different Fixed-by and probably shouldn't include Fixed-releases:. NEWS | 24 +++++------------------- advisories/CVE-2023-4527 | 12 ++++++++++++ advisories/CVE-2023-4806 | 10 ++++++++++ advisories/CVE-2023-4911 | 11 +++++++++++ advisories/CVE-2023-5156 | 10 ++++++++++ scripts/process-fixed-cves.sh | 34 ++++++++++++++++++++++++++++++++++ 6 files changed, 82 insertions(+), 19 deletions(-) create mode 100644 advisories/CVE-2023-4527 create mode 100644 advisories/CVE-2023-4806 create mode 100644 advisories/CVE-2023-4911 create mode 100644 advisories/CVE-2023-5156 create mode 100755 scripts/process-fixed-cves.sh diff --git a/NEWS b/NEWS index 4580fe381d..92c8ee08c6 100644 --- a/NEWS +++ b/NEWS @@ -67,25 +67,11 @@ Changes to build and runtime requirements: Security related changes: - CVE-2023-4527: If the system is configured in no-aaaa mode via - /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address - family, and a DNS response is received over TCP that is larger than - 2048 bytes, getaddrinfo may potentially disclose stack contents via - the returned address data, or crash. - - CVE-2023-4806: When an NSS plugin only implements the - _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use - memory that was freed during buffer resizing, potentially causing a - crash or read or write to arbitrary memory. - - CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when - an application calls getaddrinfo for AF_INET6 with AI_CANONNAME, - AI_ALL and AI_V4MAPPED flags set. - - CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the - environment of a setuid program and NAME is valid, it may result in a - buffer overflow, which could be exploited to achieve escalated - privileges. This flaw was introduced in glibc 2.34. +The following CVEs were fixed in this release, details of which can be +found in the advisories directory of the release tarball: + + [The release manager will add the list generated by + scripts/process-fixed-cves.sh just before the release.] The following bugs are resolved with this release: diff --git a/advisories/CVE-2023-4527 b/advisories/CVE-2023-4527 new file mode 100644 index 0000000000..9bb4957501 --- /dev/null +++ b/advisories/CVE-2023-4527 @@ -0,0 +1,12 @@ +getaddrinfo: Stack read overflow in no-aaaa mode + +If the system is configured in no-aaaa mode via /etc/resolv.conf, +getaddrinfo is called for the AF_UNSPEC address family, and a DNS +response is received over TCP that is larger than 2048 bytes, +getaddrinfo may potentially disclose stack contents via the returned +address data, or crash. + +Public-date: 2023-09-12 +Vulnerable-since: f282cdbe7f436c75864e5640a409a10485e9abb2 +Fixed-by: bd77dd7e73e3530203be1c52c8a29d08270cb25d +Fixed-releases: 2.36, 2.37, 2.38, 2.39 diff --git a/advisories/CVE-2023-4806 b/advisories/CVE-2023-4806 new file mode 100644 index 0000000000..bea41cfaba --- /dev/null +++ b/advisories/CVE-2023-4806 @@ -0,0 +1,10 @@ +getaddrinfo: Potential use-after-free + +When an NSS plugin only implements the _gethostbyname2_r and +_getcanonname_r callbacks, getaddrinfo could use memory that was freed +during buffer resizing, potentially causing a crash or read or write to +arbitrary memory. + +Public-date: 2023-09-12 +Fixed-by: 973fe93a5675c42798b2161c6f29c01b0e243994 +Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39 diff --git a/advisories/CVE-2023-4911 b/advisories/CVE-2023-4911 new file mode 100644 index 0000000000..f250c0c12e --- /dev/null +++ b/advisories/CVE-2023-4911 @@ -0,0 +1,11 @@ +tunables: local privilege escalation through buffer overflow + +If a tunable of the form NAME=NAME=VAL is passed in the environment of a +setuid program and NAME is valid, it may result in a buffer overflow, +which could be exploited to achieve escalated privileges. This flaw was +introduced in glibc 2.34. + +Public-date: 2023-10-03 +Vulnerable-since: 2ed18c5b534d9e92fc006202a5af0df6b72e7aca +Fixed-by: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa +Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39 diff --git a/advisories/CVE-2023-5156 b/advisories/CVE-2023-5156 new file mode 100644 index 0000000000..5493453bec --- /dev/null +++ b/advisories/CVE-2023-5156 @@ -0,0 +1,10 @@ +getaddrinfo: DoS due to memory leak + +The fix for CVE-2023-4806 introduced a memory leak when an application +calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED +flags set. + +Public-date: 2023-09-25 +Fixed-by: ec6b95c3303c700eb89eebeda2d7264cc184a796 +Vulnerable-since: 973fe93a5675c42798b2161c6f29c01b0e243994 +Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39 diff --git a/scripts/process-fixed-cves.sh b/scripts/process-fixed-cves.sh new file mode 100755 index 0000000000..d066b8c919 --- /dev/null +++ b/scripts/process-fixed-cves.sh @@ -0,0 +1,34 @@ +#!/bin/bash -e +# Copyright The GNU Toolchain Authors. +# This file is part of the GNU C Library. +# +# The GNU C Library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# The GNU C Library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with the GNU C Library; if not, see +# . + +git status > /dev/null 2>&1 || + ( echo "error: Run this script from within the glibc git repository." && + exit 1 ) + +prevrel=$(git tag | grep "glibc-2.[0-9]\+$" | + sort -n -t. -k 1,2nr -k 2,3nr | head -1) + +if ! [ -e advisories ]; then + echo "error: Previous release tag not found. This script needs to be run" + echo " from the toplevel directory of the glibc repository." + exit 1 +fi + +git diff --name-only --stat ${prevrel}..HEAD -- advisories | while read f; do + echo "$(basename $f): $(head -1 $f)"; +done