Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#5481 closed enhancement (fixed)

CVE-2024-2961 in glibc-2.39

Reported by: rahul Owned by: lfs-book
Priority: high Milestone: 12.2
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

Seems like a bug in iconv() can crash the system and/or allow remote access through a buffer overflow. Seems to affect anything using internationalization, especially PHP.

https://nvd.nist.gov/vuln/detail/CVE-2024-2961

Change History (10)

comment:3 by Bruce Dubbs, 8 months ago

It looks like only the 10 lines added to iconvdata/iso-2022-cn-ext.c if we ignore the added test.

comment:4 by Xi Ruoyao, 8 months ago

But it seems impractical to make a sed for this. I think we'd just apply the patch as-is to 2.39 and tell the users to upgrade to a patched Glibc-2.39 (note that we now prefer upgrading Glibc for security updates instead of providing one patch for each affected version).

comment:5 by Xi Ruoyao, 8 months ago

sed '/escseq;/i if(outptr+4>outend){result=__GCONV_FULL_OUTPUT;break;}/' -i iconvdata/iso-2022-cn-ext.c might work but I really dislike it: it's over-complex (to me) and it duplicates the if statement where it already exists (there are 4 instances of escseq; and only 2 out of 4 lacks this if statement).

comment:6 by Douglas R. Reno, 8 months ago

From oss-security:

* Adhemerval Zanella Netto:

> The following security advisories have been published:
>
> GLIBC-SA-2024-0004:
> ===================
> ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

For those who haven't prepared/shipped updates yet: we've got a fix for
a stack-based buffer overflow in nscd under review.

  [PATCH 0/4] Various nscd security fixes
  <https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/>

These are initial patches, still under review.  The glibc security team
will send a separate notification once official patches are ready.

The initial issue was reported in Bugzilla without an embargo period,
hence the public patch development.  The other bugs concern the same
code and are very minor compared to the initial finding, so a separate
embargo for them doesn't make sense.

Thanks,
Florian

We need to keep an eye out for these nscd patches and try to get them in as soon as they're officially released

in reply to:  6 comment:7 by Xi Ruoyao, 8 months ago

Replying to Douglas R. Reno:

From oss-security:

* Adhemerval Zanella Netto:

> The following security advisories have been published:
>
> GLIBC-SA-2024-0004:
> ===================
> ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

For those who haven't prepared/shipped updates yet: we've got a fix for
a stack-based buffer overflow in nscd under review.

  [PATCH 0/4] Various nscd security fixes
  <https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/>

These are initial patches, still under review.  The glibc security team
will send a separate notification once official patches are ready.

The initial issue was reported in Bugzilla without an embargo period,
hence the public patch development.  The other bugs concern the same
code and are very minor compared to the initial finding, so a separate
embargo for them doesn't make sense.

Thanks,
Florian

We need to keep an eye out for these nscd patches and try to get them in as soon as they're officially released

We've disabled nscd since LFS 12.1. Those running old LFS releases should disable it as well (just remove the nscd binary and disable the systemd unit - if running LFS systemd, as documented in the Glibc page).

comment:8 by Bruce Dubbs, 8 months ago

Resolution: fixed
Status: newclosed

Fixed at commit d0ca5ead46.

comment:9 by Xi Ruoyao, 8 months ago

SA 12.1-037.

comment:10 by Xi Ruoyao, 8 months ago

The patch is revised at r12.1-54-g9b39be426 to fix broken UTF-8 sequence in the test file.

Note: See TracTickets for help on using tickets.