glibc-2.39

[Xi Ruoyao]

New minor version.

Containing CVE-2023-6246, CVE-2023-6779, and CVE-2023-6780 fixes. CVE-2023-6246 is rated HIGH (7.8 by NVD, 8.4 by Red Hat) as a practically exploitable local privilege escalation.

The fixes are included in glibc-2.38-upstream_fixes-4.patch, but a SA for LFS 11.2 - 12.0 (glibc 2.36 - 2.38) has not been issued yet. Currently the editors seem having a consensus that upgrading Glibc should be safe with some caution, and to ease the security fixes on Glibc we can just tell how to upgrade Glibc safely instead of preparing patches for multiple Glibc versions.

[Xi Ruoyao]

• A new tunable, glibc.cpu.plt_rewrite, can be used to enable PLT rewrite on x86-64. When enabled with non-lazy binding, the dynamic linker will rewrite indirect branches in PLT with direct branches.

• Sync with Linux kernel 6.6 shadow stack interface. The --enable-cet configure option is only supported on x86-64.

• struct statvfs now has an f_type member, equal to the f_type statfs member; on the Hurd this was always available under a reserved name, and under Linux a spare has been allocated: it was always zero in previous versions of glibc, and zero is not a valid result.

• On Linux, the functions posix_spawnattr_getcgroup_np and posix_spawnattr_setcgroup_np have been added, along with the POSIX_SPAWN_SETCGROUP flag. They allow posix_spawn and posix_spawnp to set the cgroupv2 in the new process in a race-free manner. These functions are GNU extensions and require a kernel with clone3 support.

• On Linux, the pidfd_spawn and pidfd_spawp functions have been added. They have a similar prototype and semantic as posix_spawn, but instead of returning a process ID, they return a file descriptor that can be used along other pidfd functions (like pidfd_send_signal, poll, or waitid). The pidfd functionality avoids the issue of PID reuse with the traditional posix_spawn interface.

• On Linux, the pidfd_getpid function has been added. It allows retrieving the process ID associated with the process file descriptor created by pid_spawn, fork_np, or pidfd_open.

• scanf-family functions now support the wN format length modifiers for arguments pointing to types intN_t, int_leastN_t, uintN_t or uint_leastN_t (for example, %w32d to read int32_t or int_least32_t in decimal, or %w32x to read uint32_t or uint_least32_t in hexadecimal) and the wfN format length modifiers for arguments pointing to types int_fastN_t or uint_fastN_t, as specified in draft ISO C2X.

• A new tunable, glibc.mem.decorate_maps, can be used to add additional information on underlying memory allocated by the glibc (for instance, on thread stack created by pthread_create or memory allocated by malloc).

• The <stdbit.h> header has been added from ISO C2X, with stdc_leading_zeros, stdc_leading_ones, stdc_trailing_zeros, stdc_trailing_ones, stdc_first_leading_zero, stdc_first_leading_one, stdc_first_trailing_zero, stdc_first_trailing_one, stdc_count_zeros, stdc_count_ones, stdc_has_single_bit, stdc_bit_width, stdc_bit_floor and stdc_bit_ceil function families, each having functions for unsigned char, unsigned short, unsigned int, unsigned long int and unsigned long long int, and a type-generic macro.

• On AArch64 new symbols were added to libmvec and now math.h has annotations to allow GCC 9 or newer to auto-vectorize calls to the following scalar math functions when -ffast-math is specified: acos, acosf, asin, asinf, atan, atanf, atan2, atan2f, cos, cosf, exp, expf, exp10, exp10f, exp2, exp2f, expm1, expm1f, log, logf, log10, log10f, log1p, log1pf, log2, log2f, sin, sinf, tan, tanf.

Deprecated and removed features, and other changes affecting compatibility:

• The ldconfig program now skips file names containing ';' or ending in ".dpkg.tmp" or ".dpkg.new", to avoid examining temporary files created by the RPM and dpkg package managers.

• libcrypt has been removed from the GNU C Library. The configure options "--enable-crypt" and "--enable-nss-crypt" are no longer available. <crypt.h>, libcrypt.a, and libcrypt.so.1 will not be installed. For now <unistd.h> continues to declare the crypt function by default, to avoid introducing vulnerabilities into existing applications due to a missing prototype. This declaration is deprecated and may be removed in a future glibc release.

The replacement for libcrypt is libxcrypt, maintained separately from GNU libc, but available under compatible licensing terms, and providing binary backward compatibility with the former libcrypt. It is currently distributed from <​https://github.com/besser82/libxcrypt/>.

As a consequence of this removal, GNU libc no longer makes any use of the NSS cryptography library (Network Security Services; not to be confused with Name Service Switch). Distributors of binary packages of GNU libc are advised to check whether their build processes can be simplified.

• The dynamic linker calls the malloc and free functions in more cases during TLS access if a shared object with dynamic TLS is loaded and unloaded. This can result in an infinite recursion if a malloc replacement library or its dependencies use dynamic TLS instead of initial-exec TLS.

• The ia64*-*-linux-gnu configurations are no longer supported.

Changes to build and runtime requirements:

• Building on LoongArch requires at a minimum binutils 2.41 for vector instructions.

Security related changes:

The following CVEs were fixed in this release, details of which can be found in the advisories directory of the release tarball:

GLIBC-SA-2023-0002:

getaddrinfo: Stack read overflow in no-aaaa mode (CVE-2023-4527)

GLIBC-SA-2023-0003:

getaddrinfo: Potential use-after-free (CVE-2023-4806)

GLIBC-SA-2023-0004:

tunables: local privilege escalation through buffer overflow (CVE-2023-4911)

GLIBC-SA-2024-0001:

syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246)

GLIBC-SA-2024-0002:

syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779)

GLIBC-SA-2024-0003:

syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780)

The following bugs are resolved with this release:

  [14522] localedata: fy_DE: LC_IDENTIFICATION data looks weird
  [19305] libc: qsort() should return early if (nmemb <= 1)
  [19479] localedata: gbm_IN: new Garhwali Locale
  [19924] dynamic-link: TLS performance degradation after dlopen
  [19956] localedata: ssy_ER: rename from aa_ER@saaho
  [21719] libc: stdlib/msort : optimizing merge sort
  [22526] localedata: th_TH  LC_COLLATE does not use copy "iso14651_t1"
  [23012] localedata: el_GR: Greece now uses the 24h format for time
  [23172] localedata: miq_NI: Provide actually abbreviated month names
  [24006] localedata: Cyclic dependencies via copy in locales
  [24013] localedata: am_pm definitions for es_ES
  [24386] localedata: crh_RU: new locale
  [24877] localedata: [Redundant Data] Remove redundant data between
    en_NZ and en_AU
  [25868] localedata: Incorrect trailing spaces in weekday names for
    nn_NO
  [26752] localedata: Please add the new locale zgh_MA
  [27069] dynamic-link: Need a way to tell if a tunable is set by user
  [27163] localedata: Error on test glk_IR with localedef
  [27312] localedata: su_ID: new Sundanese locale
  [27547] manual: "Summary of malloc-Related Functions" shows wrong
    argument order for  `aligned_alloc` and `memalign`
  [27574] libc: glibc should probably not define __WORDSIZE=64 for
    __sparcv9
  [27601] localedata: License information update in
    localedata/locales/ast_ES
  [28558] localedata: it_IT LC_MONETARY outdated p_cs_precedes and
    n_cs_precedes
  [28787] localedata: Add information for Occitan
  [29039] dynamic-link: Corrupt DTV after reuse of a TLS module ID
    following dlclose with unused TLS
  [29486] localedata: New Zealand locales (en_NZ & mi_NZ) first day of
    week should be Monday
  [29504] localedata: Incorrect/misleading Time Format For ms_MY (AM/PM)
  [29506] localedata: UTF-8 HANGUL SYLLABLE bugs
  [30349] libc: Support returning a pidfd from posix_spawn()
  [30412] localedata: d_t_fmt in id_ID uses %r placeholder but am_pm and
    t_fmt_ampm are undefined
  [30605] localedata: New locale for Komi language
  [30649] localedata: [PATCH] Add transliteration of common emojis to
    smileys
  [30694] locale: The iconv program no longer tells the user which given
    encoding name was wrong
  [30709] nscd: nscd fails to build with cleanup handler if built with
    -fexceptions
  [30737] libc: fdopendir() is not robust - returns bogus DIR* instead
    of flagging an error
  [30740] build: [m68k] undefined reference to
    `_wordcopy_fwd_dest_aligned'
  [30745] libc: Slight bug in cache info codes for x86
  [30750] network: Unaligned accesses in resolver
  [30773] math: [m68k] busybox awk is broken (lshift.S related)
  [30789] libc: [2.38 Regression] sem_open will fail on multithreaded
    scenarios when semaphore file doesn't exist (O_CREAT)
  [30800] nscd: Improper assert in prune_cache triggers if clock jumps
    backwards
  [30804] libc: F_GETLK, F_SETLK, and F_SETLKW value change for
    powerpc64 with -D_FILE_OFFSET_BITS=64
  [30842] network: Stack read overflow in getaddrinfo in no-aaaa mode
    (CVE-2023-4527)
  [30843] network: potential use-after-free in getcanonname
    (CVE-2023-4806)
  [30854] localedata: Update locale data to Unicode 15.1.0
  [30884] network: Memory leak in getaddrinfo after fix for bug 30843
    (CVE-2023-5156)
  [30932] libc: Fortify Source has false-positives when too many files
    are open
  [30945] malloc: Core affinity setting incurs lock contentions between
    threads
  [30960] math: signed integer overflow in
    glibc/sysdeps/s390/fpu/feenablxcpt.c
  [30964] locale: Number grouping check mishandles multibyte thousands
    separator
  [30981] dynamic-link: dlclose does not properly implement force-first
    handling
  [30988] math: fesetexcept raises floating-point exception traps on
    ppc, ppc64, ppc64le
  [30989] math: fesetexcept raises floating-point exception traps on
    i386
  [30990] libc: fesetexceptflag raises floating-point exception traps on
    i386, x86_64
  [30998] math: fesetexceptflag clears too many floating-point exception
    flags on alpha
  [31019] manual: The documentation of feenableexcept is incomplete
  [31022] math: feupdateenv (FE_DFL_ENV) crashes on riscv
  [31035] libc: Library search path terminates on relative non-directory
    name
  [31042] libc: [s390x] .init and .fini padding
  [31068] libc: sysdeps: sparc: invalid data access in memset due to
    regression
  [31078] manual: Code example in "Noncanonical Mode Example" has unused
    'char *name;'
  [31086] localedata: Errors in Tibetan, Dzongkha data
  [31113] string: Wrong unwind information for rawmemchr on aarch64
  [31151] libc: [RISC-V] missing support for profile/audit PLT setup
  [31163] nss: getaddrinfo returns EAI_NONAME in oom situation
  [31183] stdio: Wide stream buffer size reduced MB_LEN_MAX bytes after
    bug 17522 fix
  [31184] dynamic-link: FAIL: elf/tst-tlsgap
  [31185] dynamic-link: Incorrect thread point access in
    _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
  [31187] dynamic-link: Some CET tests fail with GCC 14
  [31204] localedata: Fix decimal point and thousands separator for
    uz_UZ
  [31205] localedata: Inconsistent (mon_)grouping formats
  [31218] dynamic-link: PLT rewrite overflows large displacement on x32
  [31221] localedata: Add localedata for ISO code "tok" (Toki Pona)
  [31230] dynamic-link: PLT rewrite failed without SELinux
  [31239] localedata: anp_IN locale: abbreviated month names are the
    same as the full month names
  [31244] nptl: pthread_cancel hangs on sparc32
  [31257] localedata: Sync with  CLDR: “Turkey” -> “Türkiye”
  [31266] string: sparc: string/tst-memmove-overflow fails on 32-bit
    sparcv9
  [31276] libc: Wrong condition for heap allocation in qsort_r

[pierre]

I'd suggest updating to tzdata-2024a too (#5428).

[Xi Ruoyao]

Fixed for trunk.

I'll post Glibc SA later (after the new Glibc page is rendered on the server).

[Xi Ruoyao]

​SA 12.0-085.