Opened 22 months ago
Closed 22 months ago
#5203 closed enhancement (fixed)
glibc-2.37
Reported by: | Xi Ruoyao | Owned by: | Xi Ruoyao |
---|---|---|---|
Priority: | high | Milestone: | 11.3 |
Component: | Book | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New minor version.
It contains a security fix for CVE-2022-39046:
CVE-2022-39046: When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.
Change History (13)
comment:2 by , 22 months ago
Major new features:
- The getent tool now supports the --no-addrconfig option. The output of getent with --no-addrconfig may contain addresses of families not configured on the current host i.e. as-if you had not passed AI_ADDRCONFIG to getaddrinfo calls.
Deprecated and removed features, and other changes affecting compatibility:
- The dynamic linker no longer loads shared objects from the "tls" subdirectories on the library search path or the subdirectory that corresponds to the AT_PLATFORM system name, or employs the legacy AT_HWCAP search mechanism, which was deprecated in version 2.33.
Security related changes:
CVE-2022-39046: When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.
The following bugs are resolved with this release:
[12154] network: Cannot resolve hosts which have wildcard aliases [12165] libc: readdir: Do not skip entries with zero d_ino values [19444] build: build failures with -O1 due to -Wmaybe-uninitialized [24774] nptl: pthread_rwlock_timedwrlock stalls on ARM [24816] nss: nss/tst-nss-files-hosts-long fails when no interface has AF_INET6 address (ie docker) [27087] stdio: PowerPC: Redefinition error with Clang from IEEE redirection headers [28846] network: CMSG_NXTHDR may trigger -Wstrict-overflow warning [28937] dynamic-link: New DSO dependency sorter does not put new map first if in a cycle [29249] libc: csu/libc-tls.c:202: undefined reference to `_startup_fatal_not_constant' [29305] network: Inefficient buffer space usage in nss_dns for gethostbyname and other functions [29375] libc: don't hide MAP_ANONYMOUS behind _GNU_SOURCE [29402] nscd: nscd: No such file or directory [29415] nscd: getaddrinfo with AI_ADDRCONFIG returns addresses with wrong family [29427] dynamic-link: Inconsistency detected by ld.so: dl-printf.c: 200: _dl_debug_vdprintf: Assertion `! "invalid format specifier"' failed! [29463] math: math/test-float128-y1 fails on x86_64 [29485] build: Make hangs when the test misc/tst-pidfile returns FAIL_UNSUPPORTED [29490] dynamic-link: [bisected] new __brk_call causes dynamic loader segfault on alpha [29499] build: Check failed on misc/tst-glibcsyscalls while building for RISCV64 on a unmatched hardware [29501] build: Check failed on stdlib/tst-strfrom while building for RISCV64 on a unmatched hardware [29502] libc: alpha sys/acct.h out of date [29514] build: Need to use -fPIE not -fpie [29528] dynamic-link: __libc_early_init not called after dlmopen that reuses namespace [29536] libc: syslog fail to create large messages (CVE-2022-39046) [29537] libc: [2.34 regression]: Alignment issue on m68k when using futexes on qemu-user [29539] libc: LD_TRACE_LOADED_OBJECTS changed how vDSO library are printed [29544] libc: Regression in syslog(3) calls breaks RFC due to extra whitespace [29564] build: Incorrect way to change MAKEFLAGS in Makerules [29576] build: librtld.os: in function `_dl_start_profile': (.text+0x9444): undefined reference to `strcpy' [29578] libc: Definition of SUN_LEN() is wrong [29583] build: iconv failures on 32bit platform due to missing large file support [29600] dynamic-link: dlmopen hangs after loading certain libraries [29604] localedata: Update locale data to Unicode 15.0.0 [29605] nscd: Regression in NSCD backend of getaddrinfo [29607] nscd: nscd repeatably crashes calling __strlen_avx2 when hosts cache is enabled [29611] string: Optimized AVX2 string functions unconditionally use BMI2 instructions [29624] malloc: errno is not cleared when entering main [29638] libc: stdlib: arc4random fallback is never used [29657] libc: Incorrect struct stat for 64-bit time on linux/generic platforms [29698] build: Configuring for AArch32 on ARMv8+ disables optimizations [29727] locale: __strtol_internal out-of-bounds read when parsing thousands grouping [29730] libc: broken y2038 support in fstatat on MIPS N64 [29746] libc: ppoll() does not switch to __ppoll64 when -D_TIME_BITS=64 and -D_FORTIFY_SOURCE=2 is given on 32bit [29771] libc: Restore IPC_64 support in sysvipc *ctl functions [29780] build: possible parallel make issue in glibc-2.36 (siglist- aux.S: No such file or directory) [29864] libc: __libc_start_main() should obtain program headers address (_dl_phdr) from the auxv, not the ELF header. [29951] time: daylight variable not set correctly if last DST change coincides with offset change [30039] stdio: __vsprintf_internal does not handle unspecified buffer length in fortify mode
comment:3 by , 22 months ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:4 by , 22 months ago
We'll need to fix https://sourceware.org/bugzilla/show_bug.cgi?id=30068.
comment:5 by , 22 months ago
A patch has been posted at https://sourceware.org/pipermail/libc-alpha/2023-January/144847.html for another minor issue, but now it looks like it fixes this new issue as well.
follow-up: 7 comment:6 by , 22 months ago
Well, things are complicated. There are two subtests in MPFR 4.2.0 test tsprintf
failing with glibc-2.37. One reveals a bug in glibc-2.37, but another reveals a bug in old glibc releases (i.e. the "standard output" was based on the bad result with old glibc releases, but the result is fixed in glibc-2.37).
Will fix MPFR test suite as well.
follow-up: 8 comment:7 by , 22 months ago
Replying to Xi Ruoyao:
Well, things are complicated. There are two subtests in MPFR 4.2.0 test
tsprintf
failing with glibc-2.37. One reveals a bug in glibc-2.37, but another reveals a bug in old glibc releases (i.e. the "standard output" was based on the bad result with old glibc releases, but the result is fixed in glibc-2.37).Will fix MPFR test suite as well.
I'm sure you can do that very well, but I don't think we should fix everything upstream has not fixed: it's upstream role, not ours. Of course if there is a bug that may have consequences in our build or later when using lfs, it has to be fixed. But fixing testsuites, that otherwise are of no use for lfs, is kind of a waste of time. Up to you if you want to do it, though :)
Note that fixing testsuites in our environment (that is, when upstream does not support something we do) may be our role. Although it is enough to know why there is a failure and to report it in the book.
comment:8 by , 22 months ago
Replying to pierre:
Replying to Xi Ruoyao:
Well, things are complicated. There are two subtests in MPFR 4.2.0 test
tsprintf
failing with glibc-2.37. One reveals a bug in glibc-2.37, but another reveals a bug in old glibc releases (i.e. the "standard output" was based on the bad result with old glibc releases, but the result is fixed in glibc-2.37).Will fix MPFR test suite as well.
I'm sure you can do that very well, but I don't think we should fix everything upstream has not fixed: it's upstream role, not ours. Of course if there is a bug that may have consequences in our build or later when using lfs, it has to be fixed. But fixing testsuites, that otherwise are of no use for lfs, is kind of a waste of time. Up to you if you want to do it, though :)
Note that fixing testsuites in our environment (that is, when upstream does not support something we do) may be our role. Although it is enough to know why there is a failure and to report it in the book.
This test can detect the Glibc issue as well, so I prefer to fix it. Then if a reader failed to apply the sed for Glibc, the issue will be highlighted.
Or I can use a patch for Glibc (adding a test case as well) instead of a sed, but IMO two sed are "lighter" than a patch.
follow-up: 10 comment:9 by , 22 months ago
Note that the Glibc issue must be fixed because otherwise it could trigger buffer overflows with innocent user code.
comment:10 by , 22 months ago
Replying to Xi Ruoyao:
Note that the Glibc issue must be fixed because otherwise it could trigger buffer overflows with innocent user code.
agreed. And also agreed for the mpfr test to detect a bad application of the sed/patch to glibc.
comment:11 by , 22 months ago
I only saw one sed that is needed:
sed -e '/width -= workend/s/workend - string/number_length/' \ -i stdio-common/vfprintf-process-arg.c
Also the patch does not seem to match the released code exactly. What I see is:
if (octal_marker) --width; width -= workend - string + prec;
but the patch has:
width -= 2; } - width -= workend - string + prec; + width -= number_length + prec;
There is no right brace character in the released code.
comment:12 by , 22 months ago
Just found a minor issue: https://sourceware.org/bugzilla/show_bug.cgi?id=30071
This is mostly harmless, but it may break some packages if both kernel headers and glibc headers are used and -Werror is enabled.
comment:13 by , 22 months ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Fixed at r11.2-311-gfcadbf41d.
A security advisory for glibc-2.36 has been published as 11.2-075.