| Message ID | 20231005085407.2200644-1-mac@mcrowe.com |
|---|---|
| State | Accepted, archived |
| Commit | 9a800a2e2c2b14eab8c1f83cb4ac3b94a70dd23c |
| Headers | show |
| Series | [dunfell] glibc: Fix CVE-2023-4911 "Looney Tunables" | expand |
Hmmm ... does this build for you? I'm getting: ERROR: glibc-2.31+gitAUTOINC+2d4f26e5cf-r0 do_patch: Applying patch 'CVE-2023-4911.patch' on target directory '/home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/glibc/2.31+gitAUTOINC+2d4f26e5cf-r0/git' Command Error: 'quilt --quiltrc /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/glibc/2.31+gitAUTOINC+2d4f26e5cf-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch CVE-2023-4911.patch patching file elf/dl-tunables.c Hunk #1 FAILED at 187. Hunk #2 FAILED at 251. 2 out of 2 hunks FAILED -- rejects in file elf/dl-tunables.c Patch CVE-2023-4911.patch does not apply (enforce with -f) Steve On Wed, Oct 4, 2023 at 10:54 PM Mike Crowe via lists.openembedded.org <mac=mcrowe.com@lists.openembedded.org> wrote: > > From: Mike Crowe <mac@mcrowe.com> > > Take the patch from the source for Debian's glibc 2.31-13+deb11u7 > package, the changelog for which starts with: > > glibc (2.31-13+deb11u7) bullseye-security; urgency=medium > > * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the > dynamic loader's processing of the GLIBC_TUNABLES environment variable > (CVE-2023-4911). > > This addresses the "Looney Tunables" vulnerability described at > https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt > > Signed-off-by: Mike Crowe <mac@mcrowe.com> > --- > .../glibc/glibc/CVE-2023-4911.patch | 63 +++++++++++++++++++ > meta/recipes-core/glibc/glibc_2.31.bb | 1 + > 2 files changed, 64 insertions(+) > create mode 100644 meta/recipes-core/glibc/glibc/CVE-2023-4911.patch > > diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch > new file mode 100644 > index 0000000000..4d3146509a > --- /dev/null > +++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch > @@ -0,0 +1,63 @@ > +From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001 > +From: Siddhesh Poyarekar <siddhesh@redhat.com> > +Date: Mon, 11 Sep 2023 18:53:15 -0400 > +Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached > + > +The string parsing routine may end up writing beyond bounds of tunestr > +if the input tunable string is malformed, of the form name=name=val. > +This gets processed twice, first as name=name=val and next as name=val, > +resulting in tunestr being name=name=val:name=val, thus overflowing > +tunestr. > + > +Terminate the parsing loop at the first instance itself so that tunestr > +does not overflow. > +--- > +Changes from v1: > + > +- Also null-terminate tunestr before exiting. > + > + elf/dl-tunables.c | 17 ++++++++++------- > + 1 file changed, 10 insertions(+), 7 deletions(-) > + > +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] > +CVE: CVE-2023-4911 > + > +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c > +index 8e7ee9df10..76cf8b9da3 100644 > +--- a/elf/dl-tunables.c > ++++ b/elf/dl-tunables.c > +@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) > + /* If we reach the end of the string before getting a valid name-value > + pair, bail out. */ > + if (p[len] == '\0') > +- { > +- if (__libc_enable_secure) > +- tunestr[off] = '\0'; > +- return; > +- } > ++ break; > + > + /* We did not find a valid name-value pair before encountering the > + colon. */ > +@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) > + } > + } > + > +- if (p[len] != '\0') > +- p += len + 1; > ++ /* We reached the end while processing the tunable string. */ > ++ if (p[len] == '\0') > ++ break; > ++ > ++ p += len + 1; > + } > ++ > ++ /* Terminate tunestr before we leave. */ > ++ if (__libc_enable_secure) > ++ tunestr[off] = '\0'; > + } > + #endif > + > +-- > +2.41.0 > + > diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb > index 8d216f6ed1..1862586749 100644 > --- a/meta/recipes-core/glibc/glibc_2.31.bb > +++ b/meta/recipes-core/glibc/glibc_2.31.bb > @@ -80,6 +80,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ > file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ > file://CVE-2023-0687.patch \ > + file://CVE-2023-4911.patch \ > " > S = "${WORKDIR}/git" > B = "${WORKDIR}/build-${TARGET_SYS}" > -- > 2.39.2 > > BrightSign considers your privacy to be very important. The emails you send to us will be protected and secured. Furthermore, we will only use your email and contact information for the reasons you sent them to us and for tracking how effectively we respond to your requests. > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#188708): https://lists.openembedded.org/g/openembedded-core/message/188708 > Mute This Topic: https://lists.openembedded.org/mt/101773057/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Thu, 5 Oct 2023, Steve Sakoman wrote: > Hmmm ... does this build for you? > > I'm getting: > > ERROR: glibc-2.31+gitAUTOINC+2d4f26e5cf-r0 do_patch: Applying patch > 'CVE-2023-4911.patch' on target directory > '/home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/glibc/2.31+gitAUTOINC+2d4f26e5cf-r0/git' > Command Error: 'quilt --quiltrc > /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/glibc/2.31+gitAUTOINC+2d4f26e5cf-r0/recipe-sysroot-native/etc/quiltrc > push' exited with 0 Output: > Applying patch CVE-2023-4911.patch > patching file elf/dl-tunables.c > Hunk #1 FAILED at 187. > Hunk #2 FAILED at 251. > 2 out of 2 hunks FAILED -- rejects in file elf/dl-tunables.c > Patch CVE-2023-4911.patch does not apply (enforce with -f) > > Steve Debian's page at https://security-tracker.debian.org/tracker/CVE-2023-4911 indicates at the bottom that they're only vulnerable on their 2.31 based versions because they backported the change that introduced the vulnerability, which I don't believe has been done in oe-core... Scott > On Wed, Oct 4, 2023 at 10:54 PM Mike Crowe via lists.openembedded.org > <mac=mcrowe.com@lists.openembedded.org> wrote: > > > > From: Mike Crowe <mac@mcrowe.com> > > > > Take the patch from the source for Debian's glibc 2.31-13+deb11u7 > > package, the changelog for which starts with: > > > > glibc (2.31-13+deb11u7) bullseye-security; urgency=medium > > > > * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the > > dynamic loader's processing of the GLIBC_TUNABLES environment variable > > (CVE-2023-4911). > > > > This addresses the "Looney Tunables" vulnerability described at > > https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt > > > > Signed-off-by: Mike Crowe <mac@mcrowe.com> > > --- > > .../glibc/glibc/CVE-2023-4911.patch | 63 +++++++++++++++++++ > > meta/recipes-core/glibc/glibc_2.31.bb | 1 + > > 2 files changed, 64 insertions(+) > > create mode 100644 meta/recipes-core/glibc/glibc/CVE-2023-4911.patch > > > > diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch > > new file mode 100644 > > index 0000000000..4d3146509a > > --- /dev/null > > +++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch > > @@ -0,0 +1,63 @@ > > +From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001 > > +From: Siddhesh Poyarekar <siddhesh@redhat.com> > > +Date: Mon, 11 Sep 2023 18:53:15 -0400 > > +Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached > > + > > +The string parsing routine may end up writing beyond bounds of tunestr > > +if the input tunable string is malformed, of the form name=name=val. > > +This gets processed twice, first as name=name=val and next as name=val, > > +resulting in tunestr being name=name=val:name=val, thus overflowing > > +tunestr. > > + > > +Terminate the parsing loop at the first instance itself so that tunestr > > +does not overflow. > > +--- > > +Changes from v1: > > + > > +- Also null-terminate tunestr before exiting. > > + > > + elf/dl-tunables.c | 17 ++++++++++------- > > + 1 file changed, 10 insertions(+), 7 deletions(-) > > + > > +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] > > +CVE: CVE-2023-4911 > > + > > +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c > > +index 8e7ee9df10..76cf8b9da3 100644 > > +--- a/elf/dl-tunables.c > > ++++ b/elf/dl-tunables.c > > +@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) > > + /* If we reach the end of the string before getting a valid name-value > > + pair, bail out. */ > > + if (p[len] == '\0') > > +- { > > +- if (__libc_enable_secure) > > +- tunestr[off] = '\0'; > > +- return; > > +- } > > ++ break; > > + > > + /* We did not find a valid name-value pair before encountering the > > + colon. */ > > +@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) > > + } > > + } > > + > > +- if (p[len] != '\0') > > +- p += len + 1; > > ++ /* We reached the end while processing the tunable string. */ > > ++ if (p[len] == '\0') > > ++ break; > > ++ > > ++ p += len + 1; > > + } > > ++ > > ++ /* Terminate tunestr before we leave. */ > > ++ if (__libc_enable_secure) > > ++ tunestr[off] = '\0'; > > + } > > + #endif > > + > > +-- > > +2.41.0 > > + > > diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb > > index 8d216f6ed1..1862586749 100644 > > --- a/meta/recipes-core/glibc/glibc_2.31.bb > > +++ b/meta/recipes-core/glibc/glibc_2.31.bb > > @@ -80,6 +80,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > > file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ > > file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ > > file://CVE-2023-0687.patch \ > > + file://CVE-2023-4911.patch \ > > " > > S = "${WORKDIR}/git" > > B = "${WORKDIR}/build-${TARGET_SYS}" > > -- > > 2.39.2 > > > > BrightSign considers your privacy to be very important. The emails you send to us will be protected and secured. Furthermore, we will only use your email and contact information for the reasons you sent them to us and for tracking how effectively we respond to your requests. > > > > > > >
On Thursday 05 October 2023 at 04:17:08 -1000, Steve Sakoman wrote: > Hmmm ... does this build for you? Yes, on top of 0111b5b152c1bcff0ab26cf8632ca9002237f070 (current HEAD of openembedded-core dunfell branch.) > I'm getting: > > ERROR: glibc-2.31+gitAUTOINC+2d4f26e5cf-r0 do_patch: Applying patch > 'CVE-2023-4911.patch' on target directory > '/home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/glibc/2.31+gitAUTOINC+2d4f26e5cf-r0/git' > Command Error: 'quilt --quiltrc > /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/glibc/2.31+gitAUTOINC+2d4f26e5cf-r0/recipe-sysroot-native/etc/quiltrc > push' exited with 0 Output: > Applying patch CVE-2023-4911.patch > patching file elf/dl-tunables.c > Hunk #1 FAILED at 187. > Hunk #2 FAILED at 251. > 2 out of 2 hunks FAILED -- rejects in file elf/dl-tunables.c > Patch CVE-2023-4911.patch does not apply (enforce with -f) Well that's strange. I can see from your work directory name that you're using the same glibc commit as me: 2d4f26e5cfda682f9ce61444b81533b83f6381af, and I can apply the CVE-2023-4911.patch to that commit without conflicts. Do you have any other changes beyond 0111b5b152c1bcff0ab26cf8632ca9002237f070 in your tree that might be applying other patches? Mike.
On Thursday 05 October 2023 at 11:16:29 -0400, Scott Murray wrote: > Debian's page at https://security-tracker.debian.org/tracker/CVE-2023-4911 > indicates at the bottom that they're only vulnerable on their 2.31 based > versions because they backported the change that introduced the > vulnerability, which I don't believe has been done in oe-core... It has. The openembedded-core dunfell branch is using glibc 2d4f26e5cfda682f9ce61444b81533b83f6381af. This commit is a successor of 8e88c0d8885f68d22f47b22969c273004c6e719f, which is the backport of 2ed18c5b534d9e92fc006202a5af0df6b72e7aca (as mentioned in the Qualsys advisory) that introduced the vulnerability. Mike.
On Thu, 5 Oct 2023, Mike Crowe wrote: > On Thursday 05 October 2023 at 11:16:29 -0400, Scott Murray wrote: > > Debian's page at https://security-tracker.debian.org/tracker/CVE-2023-4911 > > indicates at the bottom that they're only vulnerable on their 2.31 based > > versions because they backported the change that introduced the > > vulnerability, which I don't believe has been done in oe-core... > > It has. > > The openembedded-core dunfell branch is using glibc > 2d4f26e5cfda682f9ce61444b81533b83f6381af. This commit is a successor of > 8e88c0d8885f68d22f47b22969c273004c6e719f, which is the backport of > 2ed18c5b534d9e92fc006202a5af0df6b72e7aca (as mentioned in the Qualsys > advisory) that introduced the vulnerability. Hrm, yes, I had not realized that glibc had backported it on the 2.31 branch itself versus distros picking it themselves, my apologies. There sadly does not seem to be any public declaration yet if it is actually exploitable on pre-2.35 or not. Scott
On Thu, Oct 5, 2023 at 8:44 AM Mike Crowe <mac@mcrowe.com> wrote: > > On Thursday 05 October 2023 at 04:17:08 -1000, Steve Sakoman wrote: > > Hmmm ... does this build for you? > > Yes, on top of 0111b5b152c1bcff0ab26cf8632ca9002237f070 (current HEAD of > openembedded-core dunfell branch.) > > > I'm getting: > > > > ERROR: glibc-2.31+gitAUTOINC+2d4f26e5cf-r0 do_patch: Applying patch > > 'CVE-2023-4911.patch' on target directory > > '/home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/glibc/2.31+gitAUTOINC+2d4f26e5cf-r0/git' > > Command Error: 'quilt --quiltrc > > /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/glibc/2.31+gitAUTOINC+2d4f26e5cf-r0/recipe-sysroot-native/etc/quiltrc > > push' exited with 0 Output: > > Applying patch CVE-2023-4911.patch > > patching file elf/dl-tunables.c > > Hunk #1 FAILED at 187. > > Hunk #2 FAILED at 251. > > 2 out of 2 hunks FAILED -- rejects in file elf/dl-tunables.c > > Patch CVE-2023-4911.patch does not apply (enforce with -f) > > Well that's strange. I can see from your work directory name that you're > using the same glibc commit as me: > 2d4f26e5cfda682f9ce61444b81533b83f6381af, and I can apply the > CVE-2023-4911.patch to that commit without conflicts. > > Do you have any other changes beyond > 0111b5b152c1bcff0ab26cf8632ca9002237f070 in your tree that might be > applying other patches? Strange! Nothing that should affect glibc. I'm applying to the head of stable/dunfell-nut: https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Steve
On Thursday 05 October 2023 at 09:25:44 -1000, Steve Sakoman wrote: > Strange! Nothing that should affect glibc. I'm applying to the head > of stable/dunfell-nut: > > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut All my fault. I managed to lose my mail-sending wrapper in some recent configuration setting cleanups and the patch went out via Microsoft's mail server which seems to have corrupted the whitespace in the patch. I'll post v2 shortly via a less broken mail server. Sorry for the confusion. Mike.
On Thu, Oct 5, 2023 at 10:37 AM Mike Crowe <mac@mcrowe.com> wrote: > > On Thursday 05 October 2023 at 09:25:44 -1000, Steve Sakoman wrote: > > Strange! Nothing that should affect glibc. I'm applying to the head > > of stable/dunfell-nut: > > > > https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut > > All my fault. > > I managed to lose my mail-sending wrapper in some recent configuration > setting cleanups and the patch went out via Microsoft's mail server which > seems to have corrupted the whitespace in the patch. I'll post v2 shortly > via a less broken mail server. > > Sorry for the confusion. Ah, that makes sense! I'll watch for it. Steve
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch new file mode 100644 index 0000000000..4d3146509a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch @@ -0,0 +1,63 @@ +From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@redhat.com> +Date: Mon, 11 Sep 2023 18:53:15 -0400 +Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached + +The string parsing routine may end up writing beyond bounds of tunestr +if the input tunable string is malformed, of the form name=name=val. +This gets processed twice, first as name=name=val and next as name=val, +resulting in tunestr being name=name=val:name=val, thus overflowing +tunestr. + +Terminate the parsing loop at the first instance itself so that tunestr +does not overflow. +--- +Changes from v1: + +- Also null-terminate tunestr before exiting. + + elf/dl-tunables.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] +CVE: CVE-2023-4911 + +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index 8e7ee9df10..76cf8b9da3 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) + /* If we reach the end of the string before getting a valid name-value + pair, bail out. */ + if (p[len] == '\0') +- { +- if (__libc_enable_secure) +- tunestr[off] = '\0'; +- return; +- } ++ break; + + /* We did not find a valid name-value pair before encountering the + colon. */ +@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) + } + } + +- if (p[len] != '\0') +- p += len + 1; ++ /* We reached the end while processing the tunable string. */ ++ if (p[len] == '\0') ++ break; ++ ++ p += len + 1; + } ++ ++ /* Terminate tunestr before we leave. */ ++ if (__libc_enable_secure) ++ tunestr[off] = '\0'; + } + #endif + +-- +2.41.0 + diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 8d216f6ed1..1862586749 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb @@ -80,6 +80,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ file://CVE-2023-0687.patch \ + file://CVE-2023-4911.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}"