diff options
Diffstat (limited to 'source/l/glibc/patches/glibc-2.37.CVE-2023-4911.patch')
| -rw-r--r-- | source/l/glibc/patches/glibc-2.37.CVE-2023-4911.patch | 70 |
1 files changed, 0 insertions, 70 deletions
diff --git a/source/l/glibc/patches/glibc-2.37.CVE-2023-4911.patch b/source/l/glibc/patches/glibc-2.37.CVE-2023-4911.patch deleted file mode 100644 index 074317990..000000000 --- a/source/l/glibc/patches/glibc-2.37.CVE-2023-4911.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001 -From: Siddhesh Poyarekar <siddhesh@sourceware.org> -Date: Tue, 19 Sep 2023 18:39:32 -0400 -Subject: [PATCH] tunables: Terminate if end of input is reached - (CVE-2023-4911) - -The string parsing routine may end up writing beyond bounds of tunestr -if the input tunable string is malformed, of the form name=name=val. -This gets processed twice, first as name=name=val and next as name=val, -resulting in tunestr being name=name=val:name=val, thus overflowing -tunestr. - -Terminate the parsing loop at the first instance itself so that tunestr -does not overflow. - -Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> -Reviewed-by: Carlos O'Donell <carlos@redhat.com> ---- - NEWS | 5 +++++ - elf/dl-tunables.c | 17 +++++++++------- - - ---- ./NEWS.orig 2023-01-31 21:27:45.000000000 -0600 -+++ ./NEWS 2023-10-03 15:47:54.560781260 -0500 -@@ -28,6 +28,11 @@ - heap and prints it to the target log file, potentially revealing a - portion of the contents of the heap. - -+ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the -+ environment of a setuid program and NAME is valid, it may result in a -+ buffer overflow, which could be exploited to achieve escalated -+ privileges. This flaw was introduced in glibc 2.34. -+ - The following bugs are resolved with this release: - - [12154] network: Cannot resolve hosts which have wildcard aliases ---- ./elf/dl-tunables.c.orig 2023-01-31 21:27:45.000000000 -0600 -+++ ./elf/dl-tunables.c 2023-10-03 15:47:54.560781260 -0500 -@@ -187,11 +187,7 @@ - /* If we reach the end of the string before getting a valid name-value - pair, bail out. */ - if (p[len] == '\0') -- { -- if (__libc_enable_secure) -- tunestr[off] = '\0'; -- return; -- } -+ break; - - /* We did not find a valid name-value pair before encountering the - colon. */ -@@ -251,9 +247,16 @@ - } - } - -- if (p[len] != '\0') -- p += len + 1; -+ /* We reached the end while processing the tunable string. */ -+ if (p[len] == '\0') -+ break; -+ -+ p += len + 1; - } -+ -+ /* Terminate tunestr before we leave. */ -+ if (__libc_enable_secure) -+ tunestr[off] = '\0'; - } - #endif - |