#5203 closed enhancement (fixed)

glibc-2.37

Reported by: Xi Ruoyao Owned by: Xi Ruoyao
Priority: high Milestone: 11.3
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New minor version.

It contains a security fix for CVE-2022-39046:

CVE-2022-39046: When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.

Change History (13)

comment:1 by Xi Ruoyao, 23 months ago

A security advisory for glibc-2.36 has been published as 11.2-075.

Last edited 23 months ago by Xi Ruoyao (previous) (diff)

comment:2 by Xi Ruoyao, 23 months ago

Major new features:

  • The getent tool now supports the --no-addrconfig option. The output of getent with --no-addrconfig may contain addresses of families not configured on the current host i.e. as-if you had not passed AI_ADDRCONFIG to getaddrinfo calls.

Deprecated and removed features, and other changes affecting compatibility:

  • The dynamic linker no longer loads shared objects from the "tls" subdirectories on the library search path or the subdirectory that corresponds to the AT_PLATFORM system name, or employs the legacy AT_HWCAP search mechanism, which was deprecated in version 2.33.

Security related changes:

CVE-2022-39046: When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.

The following bugs are resolved with this release:

  [12154] network: Cannot resolve hosts which have wildcard aliases
  [12165] libc: readdir: Do not skip entries with zero d_ino values
  [19444] build: build failures with -O1 due to -Wmaybe-uninitialized
  [24774] nptl: pthread_rwlock_timedwrlock stalls on ARM
  [24816] nss: nss/tst-nss-files-hosts-long fails when no interface has
    AF_INET6 address (ie docker)
  [27087] stdio: PowerPC: Redefinition error with Clang from IEEE
    redirection headers
  [28846] network: CMSG_NXTHDR may trigger -Wstrict-overflow warning
  [28937] dynamic-link: New DSO dependency sorter does not put new map
    first if in a cycle
  [29249] libc: csu/libc-tls.c:202: undefined reference to
    `_startup_fatal_not_constant'
  [29305] network: Inefficient buffer space usage in nss_dns for
    gethostbyname and other functions
  [29375] libc: don't hide MAP_ANONYMOUS behind _GNU_SOURCE
  [29402] nscd: nscd: No such file or directory
  [29415] nscd: getaddrinfo with AI_ADDRCONFIG returns addresses with
    wrong family
  [29427] dynamic-link: Inconsistency detected by ld.so: dl-printf.c:
    200: _dl_debug_vdprintf: Assertion `! "invalid format specifier"'
    failed!
  [29463] math: math/test-float128-y1 fails on x86_64
  [29485] build: Make hangs when the test misc/tst-pidfile returns
    FAIL_UNSUPPORTED
  [29490] dynamic-link: [bisected] new __brk_call causes dynamic loader
    segfault on alpha
  [29499] build: Check failed on misc/tst-glibcsyscalls while building
    for RISCV64 on a unmatched hardware
  [29501] build: Check failed on stdlib/tst-strfrom while building for
    RISCV64 on a unmatched hardware
  [29502] libc: alpha sys/acct.h out of date
  [29514] build: Need to use -fPIE not -fpie
  [29528] dynamic-link: __libc_early_init not called after dlmopen that
    reuses namespace
  [29536] libc: syslog fail to create large messages (CVE-2022-39046)
  [29537] libc: [2.34 regression]: Alignment issue on m68k when using
    futexes on qemu-user
  [29539] libc: LD_TRACE_LOADED_OBJECTS changed how vDSO library are
    printed
  [29544] libc: Regression in syslog(3) calls breaks RFC due to extra
    whitespace
  [29564] build: Incorrect way to change MAKEFLAGS in Makerules
  [29576] build: librtld.os: in function `_dl_start_profile':
    (.text+0x9444): undefined reference to `strcpy'
  [29578] libc: Definition of SUN_LEN() is wrong
  [29583] build: iconv failures on 32bit platform due to missing large
    file support
  [29600] dynamic-link: dlmopen hangs after loading certain libraries
  [29604] localedata: Update locale data to Unicode 15.0.0
  [29605] nscd: Regression in NSCD backend of getaddrinfo
  [29607] nscd: nscd repeatably crashes calling __strlen_avx2 when hosts
    cache is enabled
  [29611] string: Optimized AVX2 string functions unconditionally use
    BMI2 instructions
  [29624] malloc: errno is not cleared when entering main
  [29638] libc: stdlib: arc4random fallback is never used
  [29657] libc: Incorrect struct stat for 64-bit time on linux/generic
    platforms
  [29698] build: Configuring for AArch32 on ARMv8+ disables
    optimizations
  [29727] locale: __strtol_internal out-of-bounds read when parsing
    thousands grouping
  [29730] libc: broken y2038 support in fstatat on MIPS N64
  [29746] libc: ppoll() does not switch to __ppoll64 when
    -D_TIME_BITS=64 and -D_FORTIFY_SOURCE=2 is given on 32bit
  [29771] libc: Restore IPC_64 support in sysvipc *ctl functions
  [29780] build: possible parallel make issue in glibc-2.36 (siglist-
    aux.S: No such file or directory)
  [29864] libc: __libc_start_main() should obtain program headers
    address (_dl_phdr) from the auxv, not the ELF header.
  [29951] time: daylight variable not set correctly if last DST change
    coincides with offset change
  [30039] stdio: __vsprintf_internal does not handle unspecified buffer
    length in fortify mode

comment:3 by Xi Ruoyao, 23 months ago

Owner: changed from lfs-book to Xi Ruoyao
Status: newassigned

comment:5 by Xi Ruoyao, 23 months ago

A patch has been posted at https://sourceware.org/pipermail/libc-alpha/2023-January/144847.html for another minor issue, but now it looks like it fixes this new issue as well.

comment:6 by Xi Ruoyao, 23 months ago

Well, things are complicated. There are two subtests in MPFR 4.2.0 test tsprintf failing with glibc-2.37. One reveals a bug in glibc-2.37, but another reveals a bug in old glibc releases (i.e. the "standard output" was based on the bad result with old glibc releases, but the result is fixed in glibc-2.37).

Will fix MPFR test suite as well.

in reply to:  6 ; comment:7 by pierre, 23 months ago

Replying to Xi Ruoyao:

Well, things are complicated. There are two subtests in MPFR 4.2.0 test tsprintf failing with glibc-2.37. One reveals a bug in glibc-2.37, but another reveals a bug in old glibc releases (i.e. the "standard output" was based on the bad result with old glibc releases, but the result is fixed in glibc-2.37).

Will fix MPFR test suite as well.

I'm sure you can do that very well, but I don't think we should fix everything upstream has not fixed: it's upstream role, not ours. Of course if there is a bug that may have consequences in our build or later when using lfs, it has to be fixed. But fixing testsuites, that otherwise are of no use for lfs, is kind of a waste of time. Up to you if you want to do it, though :)

Note that fixing testsuites in our environment (that is, when upstream does not support something we do) may be our role. Although it is enough to know why there is a failure and to report it in the book.

in reply to:  7 comment:8 by Xi Ruoyao, 23 months ago

Replying to pierre:

Replying to Xi Ruoyao:

Well, things are complicated. There are two subtests in MPFR 4.2.0 test tsprintf failing with glibc-2.37. One reveals a bug in glibc-2.37, but another reveals a bug in old glibc releases (i.e. the "standard output" was based on the bad result with old glibc releases, but the result is fixed in glibc-2.37).

Will fix MPFR test suite as well.

I'm sure you can do that very well, but I don't think we should fix everything upstream has not fixed: it's upstream role, not ours. Of course if there is a bug that may have consequences in our build or later when using lfs, it has to be fixed. But fixing testsuites, that otherwise are of no use for lfs, is kind of a waste of time. Up to you if you want to do it, though :)

Note that fixing testsuites in our environment (that is, when upstream does not support something we do) may be our role. Although it is enough to know why there is a failure and to report it in the book.

This test can detect the Glibc issue as well, so I prefer to fix it. Then if a reader failed to apply the sed for Glibc, the issue will be highlighted.

Or I can use a patch for Glibc (adding a test case as well) instead of a sed, but IMO two sed are "lighter" than a patch.

comment:9 by Xi Ruoyao, 23 months ago

Note that the Glibc issue must be fixed because otherwise it could trigger buffer overflows with innocent user code.

in reply to:  9 comment:10 by pierre, 23 months ago

Replying to Xi Ruoyao:

Note that the Glibc issue must be fixed because otherwise it could trigger buffer overflows with innocent user code.

agreed. And also agreed for the mpfr test to detect a bad application of the sed/patch to glibc.

comment:11 by Bruce Dubbs, 23 months ago

I only saw one sed that is needed:

sed -e '/width -= workend/s/workend - string/number_length/' \
    -i stdio-common/vfprintf-process-arg.c

Also the patch does not seem to match the released code exactly. What I see is:

      if (octal_marker)
   --width;

      width -= workend - string + prec;

but the patch has:

           width -= 2;
         }
 
-      width -= workend - string + prec;
+      width -= number_length + prec;

There is no right brace character in the released code.

comment:12 by Xi Ruoyao, 23 months ago

Just found a minor issue: https://sourceware.org/bugzilla/show_bug.cgi?id=30071

This is mostly harmless, but it may break some packages if both kernel headers and glibc headers are used and -Werror is enabled.

comment:13 by Xi Ruoyao, 23 months ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.