#5481 closed enhancement (fixed)
CVE-2024-2961 in glibc-2.39
| Reported by: | rahul | Owned by: | lfs-book |
|---|---|---|---|
| Priority: | high | Milestone: | 12.2 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Seems like a bug in iconv() can crash the system and/or allow remote access through a buffer overflow. Seems to affect anything using internationalization, especially PHP.
Change History (10)
comment:1 by , 7 months ago
comment:2 by , 7 months ago
comment:3 by , 7 months ago
It looks like only the 10 lines added to iconvdata/iso-2022-cn-ext.c if we ignore the added test.
comment:4 by , 7 months ago
But it seems impractical to make a sed for this. I think we'd just apply the patch as-is to 2.39 and tell the users to upgrade to a patched Glibc-2.39 (note that we now prefer upgrading Glibc for security updates instead of providing one patch for each affected version).
comment:5 by , 7 months ago
sed '/escseq;/i if(outptr+4>outend){result=__GCONV_FULL_OUTPUT;break;}/' -i iconvdata/iso-2022-cn-ext.c might work but I really dislike it: it's over-complex (to me) and it duplicates the if statement where it already exists (there are 4 instances of escseq; and only 2 out of 4 lacks this if statement).
follow-up: 7 comment:6 by , 7 months ago
From oss-security:
* Adhemerval Zanella Netto: > The following security advisories have been published: > > GLIBC-SA-2024-0004: > =================== > ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence For those who haven't prepared/shipped updates yet: we've got a fix for a stack-based buffer overflow in nscd under review. [PATCH 0/4] Various nscd security fixes <https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/> These are initial patches, still under review. The glibc security team will send a separate notification once official patches are ready. The initial issue was reported in Bugzilla without an embargo period, hence the public patch development. The other bugs concern the same code and are very minor compared to the initial finding, so a separate embargo for them doesn't make sense. Thanks, Florian
We need to keep an eye out for these nscd patches and try to get them in as soon as they're officially released
comment:7 by , 7 months ago
Replying to Douglas R. Reno:
From oss-security:
* Adhemerval Zanella Netto: > The following security advisories have been published: > > GLIBC-SA-2024-0004: > =================== > ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence For those who haven't prepared/shipped updates yet: we've got a fix for a stack-based buffer overflow in nscd under review. [PATCH 0/4] Various nscd security fixes <https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/> These are initial patches, still under review. The glibc security team will send a separate notification once official patches are ready. The initial issue was reported in Bugzilla without an embargo period, hence the public patch development. The other bugs concern the same code and are very minor compared to the initial finding, so a separate embargo for them doesn't make sense. Thanks, FlorianWe need to keep an eye out for these nscd patches and try to get them in as soon as they're officially released
We've disabled nscd since LFS 12.1. Those running old LFS releases should disable it as well (just remove the nscd binary and disable the systemd unit - if running LFS systemd, as documented in the Glibc page).
comment:10 by , 7 months ago
The patch is revised at r12.1-54-g9b39be426 to fix broken UTF-8 sequence in the test file.
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
I think we need to apply 31da30f23cddd36db29d5b6a1c7619361b271fb4