From patchwork Thu Oct 5 08:54:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Crowe X-Patchwork-Id: 31709 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27721E7C4FB for ; Thu, 5 Oct 2023 08:54:26 +0000 (UTC) Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.113]) by mx.groups.io with SMTP id smtpd.web11.11075.1696496064600311461 for ; Thu, 05 Oct 2023 01:54:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@brightsigninfo.onmicrosoft.com header.s=selector2-brightsigninfo-onmicrosoft-com header.b=V03n3ovt; spf=pass (domain: brightsign.biz, ip: 40.107.93.113, mailfrom: mcrowe@brightsign.biz) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kfD4Shvi9j4ejVt7xLAwHWiKv9EIhNs3gByDCiTRIXD1JI+e4+RWHweqaVZhKhI7k/kIA11GON0263RNqoglknBPMHHUtNpvBiuQklQuhQ2w9kHSRopYXDtOngMSnXx0OupGPEh4Q+/z0r4v5q8PZCODm7I//GE7/Ons9InZJJu+yG7uMDTTeQPNss+cSiSUc4ie5nc7x4Ke+V7vaYoLUYiDRhQ0ZYPqMjnQThWIgf9GSG/btP6VK8duOLr2T/3PdLVQLkIc/mw1iyWZu0quRp/yX8cR0h8XpQu3Adt+siUKS5Quu4L65mmw+wbyt8nfwpbaeUmQtaA/++C3eWcgEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=j8LHy0xUSENdQMIRpP9G+DDOSwgLH6+AJIfbYHdjbV0=; b=T/IAHUEXUW4oCb4f5ZOCMitzwq9lSlqQ5Pk18K0EF/QLu/Y0si+5aDPLta+g0dYRfHcGiq+D2oS2oSskkqIvkyYPEPdupMqxWv5iRdn9RDhTRAbpxwf0vLRe4+Wh3QKdiHGC45juQwcgOtx5K2SF9mpBjU0U22Vwx7KajOPSZtOUsNpy/ejKEZ2gMywXx7WEbqL0K2JMxA7FO8AtSOZSZqppsMCThcI++Su6hVNn3H6XwJNqWA9sNQy5eRclb/iWGSFbmfZtlElj88TC/ge0G7+du1U/6LlTTNvoqchbxHO6qJhf3FCoaxIDpNPb5RgZDDpmrBSdw7Y62cB6RUUH/g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 212.222.38.66) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=brightsign.biz; dmarc=fail (p=quarantine sp=quarantine pct=100) action=quarantine header.from=mcrowe.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brightsigninfo.onmicrosoft.com; s=selector2-brightsigninfo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j8LHy0xUSENdQMIRpP9G+DDOSwgLH6+AJIfbYHdjbV0=; b=V03n3ovt7s7IxFKreXzLPJiqzSSpVs+VcSBV1lh/9Dq/8BB1telIbxH1jAT6UCFZS2yvsO3jx+Bt3n1qsdiHscLAXxmxfiYpgGioCKNvwNBsUUdViLuc5yeI2a9fJTpPD8dmA4yWbwa4XKV4Fgse8SMCWKHsIGFO6GIoTwcx6jE= Received: from BN0PR04CA0102.namprd04.prod.outlook.com (2603:10b6:408:ec::17) by EA2PR22MB5329.namprd22.prod.outlook.com (2603:10b6:303:25d::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.33; Thu, 5 Oct 2023 08:54:20 +0000 Received: from BN8NAM04FT011.eop-NAM04.prod.protection.outlook.com (2603:10b6:408:ec:cafe::c1) by BN0PR04CA0102.outlook.office365.com (2603:10b6:408:ec::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.37 via Frontend Transport; Thu, 5 Oct 2023 08:54:20 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 212.222.38.66) smtp.mailfrom=brightsign.biz; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine header.from=mcrowe.com; Received-SPF: Pass (protection.outlook.com: domain of brightsign.biz designates 212.222.38.66 as permitted sender) receiver=protection.outlook.com; client-ip=212.222.38.66; helo=elite.brightsign; pr=C Received: from elite.brightsign (212.222.38.66) by BN8NAM04FT011.mail.protection.outlook.com (10.13.161.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.29 via Frontend Transport; Thu, 5 Oct 2023 08:54:20 +0000 Received: from chuckie.brightsign ([fd44:d8b8:cab5:cb01::19] helo=chuckie) by elite.brightsign with esmtp (Exim 4.92) (envelope-from ) id 1qoK7f-0001LH-FO; Thu, 05 Oct 2023 09:54:19 +0100 Received: from mac by chuckie with local (Exim 4.96) (envelope-from ) id 1qoK7f-009EUy-1P; Thu, 05 Oct 2023 09:54:19 +0100 From: mac@mcrowe.com To: openembedded-core@lists.openembedded.org Cc: Mike Crowe Subject: [dunfell][PATCH] glibc: Fix CVE-2023-4911 "Looney Tunables" Date: Thu, 5 Oct 2023 09:54:07 +0100 Message-Id: <20231005085407.2200644-1-mac@mcrowe.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM04FT011:EE_|EA2PR22MB5329:EE_ X-MS-Office365-Filtering-Correlation-Id: 6339c71c-4f67-4459-d4b8-08dbc580aa10 X-MS-Exchange-AtpMessageProperties: SA X-IPW-GroupMember: False X-MS-Exchange-SenderADCheck: 0 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KAZW1zndGq9q8lwnGfjB/VfgAO1wV0pOWLOC4+6ds8yOAusJGsiICut3SPfeefBe0b+JzUZ6xXAjPvdgVTDkeQ0tvqkcczVKmNMPTN4zbi33HBhtowEoG6P/E3F039PUfA+5rlCZTZZkrYTSdE2mt4GktqlW0+CE7Q/QMhbUv9IW/cIE3dcfGu547h9tg3iuB0vbYjt+mFAqOxqMrEYMefzClUMj7edoWOZjQhfbHAV5GX9U1K8KOWI5cWJejLbITE2qV/qAYkYHuGeXkyBsSAFE7SYIBFtdtfoN4bfQ5a9lms7g2WoDo85rXe5DJCN9UvalixYIpGvJSc5hFXZ/crVto8csMx7dozEqH7nU97uoMlEFYfSGwafM/5r13rMZManAImfOOdBNl5P/vxkhCqagxI1uOHoSkgW1CxSMXvTcPgb4uaDl8asYQpTAceABi/zg8IrO8oxKSvjcjiLbJcDHb41+EMaIhpzbVsrtqGjX5Coe1HMINrJxHPa7sfK17P2jd9jPQJhKqZLeNuRTzB8r+ul857B2x+4skuTGxZIEojFN87QmrqqhPLXXpOz4NOyLa290gcbJsxJvFxz546q7Pu5Q7qXsAEqq/LnzxGfyOgOP9JKq2zcvGHQDwQMctT2R3e7V5Mc3pMggFa9hUScLHiAYAJVfZzCUxCP6YoQSlCSapg+RIWKOrwMXE99y3qGZTlsfP5nEEyII6mDKeWR4JucsKjaJzLri2D2pi4key5Gi3sKxr3zVZneWOciv1GxFahiBWD9eq4uMB4VHmg== X-Forefront-Antispam-Report: CIP:212.222.38.66;CTRY:GB;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:elite.brightsign;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(4636009)(396003)(136003)(39850400004)(346002)(376002)(61400799006)(48200799006)(186009)(451199024)(82310400011)(64100799003)(46966006)(36840700001)(81166007)(2616005)(83170400001)(82740400003)(6666004)(26005)(5660300002)(8936002)(4326008)(8676002)(478600001)(47076005)(356005)(966005)(70586007)(40480700001)(1076003)(70206006)(6916009)(316002)(36860700001)(66899024)(9786002)(9746002)(9686003)(42882007)(426003)(336012)(83380400001)(36756003)(2906002)(41300700001)(36900700001);DIR:OUT;SFP:1102; X-OriginatorOrg: brightsign.biz X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Oct 2023 08:54:20.2616 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6339c71c-4f67-4459-d4b8-08dbc580aa10 X-MS-Exchange-CrossTenant-Id: 8fbcdf64-1ab8-47ce-bdc7-43e23b04fb3c X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=8fbcdf64-1ab8-47ce-bdc7-43e23b04fb3c;Ip=[212.222.38.66];Helo=[elite.brightsign] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM04FT011.eop-NAM04.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: EA2PR22MB5329 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Oct 2023 08:54:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188708 From: Mike Crowe Take the patch from the source for Debian's glibc 2.31-13+deb11u7 package, the changelog for which starts with: glibc (2.31-13+deb11u7) bullseye-security; urgency=medium * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the dynamic loader's processing of the GLIBC_TUNABLES environment variable (CVE-2023-4911). This addresses the "Looney Tunables" vulnerability described at https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt Signed-off-by: Mike Crowe --- .../glibc/glibc/CVE-2023-4911.patch | 63 +++++++++++++++++++ meta/recipes-core/glibc/glibc_2.31.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2023-4911.patch -- 2.39.2 BrightSign considers your privacy to be very important. The emails you send to us will be protected and secured. Furthermore, we will only use your email and contact information for the reasons you sent them to us and for tracking how effectively we respond to your requests. diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch new file mode 100644 index 0000000000..4d3146509a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch @@ -0,0 +1,63 @@ +From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Mon, 11 Sep 2023 18:53:15 -0400 +Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached + +The string parsing routine may end up writing beyond bounds of tunestr +if the input tunable string is malformed, of the form name=name=val. +This gets processed twice, first as name=name=val and next as name=val, +resulting in tunestr being name=name=val:name=val, thus overflowing +tunestr. + +Terminate the parsing loop at the first instance itself so that tunestr +does not overflow. +--- +Changes from v1: + +- Also null-terminate tunestr before exiting. + + elf/dl-tunables.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +Upstream-Status: Backport [git://sourceware.org/git/glibc.git] +CVE: CVE-2023-4911 + +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index 8e7ee9df10..76cf8b9da3 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) + /* If we reach the end of the string before getting a valid name-value + pair, bail out. */ + if (p[len] == '\0') +- { +- if (__libc_enable_secure) +- tunestr[off] = '\0'; +- return; +- } ++ break; + + /* We did not find a valid name-value pair before encountering the + colon. */ +@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) + } + } + +- if (p[len] != '\0') +- p += len + 1; ++ /* We reached the end while processing the tunable string. */ ++ if (p[len] == '\0') ++ break; ++ ++ p += len + 1; + } ++ ++ /* Terminate tunestr before we leave. */ ++ if (__libc_enable_secure) ++ tunestr[off] = '\0'; + } + #endif + +-- +2.41.0 + diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 8d216f6ed1..1862586749 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb @@ -80,6 +80,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \ file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \ file://CVE-2023-0687.patch \ + file://CVE-2023-4911.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}"