Tue Oct 3 22:19:10 UTC 202320231003221910

a/aaa_glibc-solibs-2.37-x86_64-3.txz: Rebuilt. a/dialog-1.3_20231002-x86_64-1.txz: Upgraded. ap/mpg123-1.32.3-x86_64-1.txz: Upgraded. d/llvm-17.0.2-x86_64-1.txz: Upgraded. d/meson-1.2.2-x86_64-2.txz: Rebuilt. [PATCH] Revert rust: apply global, project, and environment C args to bindgen. This fixes building Mesa. Thanks to lucabon and marav. kde/calligra-3.2.1-x86_64-34.txz: Rebuilt. Recompiled against poppler-23.10.0. kde/cantor-23.08.1-x86_64-2.txz: Rebuilt. Recompiled against poppler-23.10.0. kde/kfilemetadata-5.110.0-x86_64-2.txz: Rebuilt. Recompiled against poppler-23.10.0. kde/kile-2.9.93-x86_64-28.txz: Rebuilt. Recompiled against poppler-23.10.0. kde/kitinerary-23.08.1-x86_64-2.txz: Rebuilt. Recompiled against poppler-23.10.0. kde/krita-5.1.5-x86_64-15.txz: Rebuilt. Recompiled against poppler-23.10.0. kde/okular-23.08.1-x86_64-2.txz: Rebuilt. Recompiled against poppler-23.10.0. l/glibc-2.37-x86_64-3.txz: Rebuilt. l/glibc-i18n-2.37-x86_64-3.txz: Rebuilt. Patched to fix the "Looney Tunables" vulnerability, a local privilege escalation in ld.so. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c. Thanks to Qualys Research Labs for reporting this issue. For more information, see: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt https://www.cve.org/CVERecord?id=CVE-2023-4911 (* Security fix *) l/glibc-profile-2.37-x86_64-3.txz: Rebuilt. l/mozilla-nss-3.94-x86_64-1.txz: Upgraded. l/poppler-23.10.0-x86_64-1.txz: Upgraded. Shared library .so-version bump. n/NetworkManager-1.44.2-x86_64-1.txz: Upgraded. n/irssi-1.4.5-x86_64-1.txz: Upgraded. x/fcitx5-5.1.1-x86_64-1.txz: Upgraded. x/fcitx5-anthy-5.1.1-x86_64-1.txz: Upgraded. x/fcitx5-chinese-addons-5.1.1-x86_64-1.txz: Upgraded. x/fcitx5-gtk-5.1.0-x86_64-1.txz: Upgraded. x/fcitx5-hangul-5.1.0-x86_64-1.txz: Upgraded. x/fcitx5-kkc-5.1.0-x86_64-1.txz: Upgraded. x/fcitx5-m17n-5.1.0-x86_64-1.txz: Upgraded. x/fcitx5-qt-5.1.1-x86_64-1.txz: Upgraded. x/fcitx5-sayura-5.1.0-x86_64-1.txz: Upgraded. x/fcitx5-table-extra-5.1.0-x86_64-1.txz: Upgraded. x/fcitx5-table-other-5.1.0-x86_64-1.txz: Upgraded. x/fcitx5-unikey-5.1.1-x86_64-1.txz: Upgraded. x/libX11-1.8.7-x86_64-1.txz: Upgraded. This update fixes security issues: libX11: out-of-bounds memory access in _XkbReadKeySyms(). libX11: stack exhaustion from infinite recursion in PutSubImage(). libX11: integer overflow in XCreateImage() leading to a heap overflow. For more information, see: https://lists.x.org/archives/xorg-announce/2023-October/003424.html https://www.cve.org/CVERecord?id=CVE-2023-43785 https://www.cve.org/CVERecord?id=CVE-2023-43786 https://www.cve.org/CVERecord?id=CVE-2023-43787 (* Security fix *) x/libXpm-3.5.17-x86_64-1.txz: Upgraded. This update fixes security issues: libXpm: out of bounds read in XpmCreateXpmImageFromBuffer(). libXpm: out of bounds read on XPM with corrupted colormap. For more information, see: https://lists.x.org/archives/xorg-announce/2023-October/003424.html https://www.cve.org/CVERecord?id=CVE-2023-43788 https://www.cve.org/CVERecord?id=CVE-2023-43789 (* Security fix *) testing/packages/aaa_glibc-solibs-2.38-x86_64-2.txz: Rebuilt. testing/packages/glibc-2.38-x86_64-2.txz: Rebuilt. Patched to fix the "Looney Tunables" vulnerability, a local privilege escalation in ld.so. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c. Thanks to Qualys Research Labs for reporting this issue. For more information, see: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt https://www.cve.org/CVERecord?id=CVE-2023-4911 (* Security fix *) testing/packages/glibc-i18n-2.38-x86_64-2.txz: Rebuilt. testing/packages/glibc-profile-2.38-x86_64-2.txz: Rebuilt.
author: Patrick J Volkerding <volkerdi@slackware.com> 2023-10-03 22:19:10 +0000
committer: Eric Hameleers <alien@slackware.com> 2023-10-04 01:08:21 +0200
commit: 7a2ee07f950f14ce482ae370d28b18de8fcbde69 (patch)
tree: b1ff69f347e10c2054f5faa019944d89990d1596 /testing
parent: cb4e8726f423a41c65ca89c8b8346b0974417940 (diff)
download: current-7a2ee07f950f14ce482ae370d28b18de8fcbde69.tar.gz
current-7a2ee07f950f14ce482ae370d28b18de8fcbde69.tar.xz
2 files changed, 174 insertions, 1 deletions
diff --git a/testing/source/glibc/glibc.SlackBuild b/testing/source/glibc/glibc.SlackBuild
index 0ef328ebb..044662fe5 100755
--- a/testing/source/glibc/glibc.SlackBuild
+++ b/testing/source/glibc/glibc.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=glibc
 VERSION=${VERSION:-$(echo glibc-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
 CHECKOUT=${CHECKOUT:-""}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # I was considering disabling NSCD, but MoZes talked me out of it.  :)
 #DISABLE_NSCD=" --disable-nscd "
diff --git a/testing/source/glibc/patches/glibc.CVE-2023-4911.patch b/testing/source/glibc/patches/glibc.CVE-2023-4911.patch
new file mode 100644
index 000000000..a790a8305
--- /dev/null
+++ b/testing/source/glibc/patches/glibc.CVE-2023-4911.patch
@@ -0,0 +1,173 @@
+From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Tue, 19 Sep 2023 18:39:32 -0400
+Subject: [PATCH] tunables: Terminate if end of input is reached
+ (CVE-2023-4911)
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+
+This also fixes up tst-env-setuid-tunables to actually handle failures
+correct and add new tests to validate the fix for this CVE.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+---
+ NEWS                          |  5 +++++
+ elf/dl-tunables.c             | 17 +++++++++-------
+ elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++--------
+ 3 files changed, 44 insertions(+), 15 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index a94650da64..cc4b81f0ac 100644
+--- a/NEWS
++++ b/NEWS
+@@ -64,6 +64,11 @@ Security related changes:
+   an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+   AI_ALL and AI_V4MAPPED flags set.
+ 
++  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
++  environment of a setuid program and NAME is valid, it may result in a
++  buffer overflow, which could be exploited to achieve escalated
++  privileges.  This flaw was introduced in glibc 2.34.
++
+ The following bugs are resolved with this release:
+ 
+   [The release manager will add the list generated by
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 62b7332d95..cae67efa0a 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ 
+ /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 7dfb0e073a..f0b92c97e7 100644
+--- a/elf/tst-env-setuid-tunables.c
++++ b/elf/tst-env-setuid-tunables.c
+@@ -50,6 +50,8 @@ const char *teststrings[] =
+   "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+   "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+   "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.check=2",
+   "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+   "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+   ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -68,6 +70,8 @@ const char *resultstrings[] =
+   "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "",
+   "",
+   "",
+   "",
+@@ -81,11 +85,18 @@ test_child (int off)
+ {
+   const char *val = getenv ("GLIBC_TUNABLES");
+ 
++  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
++  fflush (stdout);
+   if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+     return 0;
+ 
+   if (val != NULL)
+-    printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
++    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
++	    off, val, resultstrings[off]);
++  else
++    printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
++
++  fflush (stdout);
+ 
+   return 1;
+ }
+@@ -106,21 +117,26 @@ do_test (int argc, char **argv)
+       if (ret != 0)
+ 	exit (1);
+ 
+-      exit (EXIT_SUCCESS);
++      /* Special return code to make sure that the child executed all the way
++	 through.  */
++      exit (42);
+     }
+   else
+     {
+-      int ret = 0;
+-
+       /* Spawn tests.  */
+       for (int i = 0; i < array_length (teststrings); i++)
+ 	{
+ 	  char buf[INT_BUFSIZE_BOUND (int)];
+ 
+-	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
++	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ 	  snprintf (buf, sizeof (buf), "%d\n", i);
++	  fflush (stdout);
+ 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+-	    exit (1);
++	    {
++	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
++	      support_record_failure ();
++	      continue;
++	    }
+ 
+ 	  int status = support_capture_subprogram_self_sgid (buf);
+ 
+@@ -128,9 +144,14 @@ do_test (int argc, char **argv)
+ 	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ 	    return EXIT_UNSUPPORTED;
+ 
+-	  ret |= status;
++	  if (WEXITSTATUS (status) != 42)
++	    {
++	      printf ("    [%d] child failed with status %d\n", i,
++		      WEXITSTATUS (status));
++	      support_record_failure ();
++	    }
+ 	}
+-      return ret;
++      return 0;
+     }
+ }
+ 
+-- 
+2.39.3
+
+
author	Patrick J Volkerding <volkerdi@slackware.com>	2023-10-03 22:19:10 +0000
committer	Eric Hameleers <alien@slackware.com>	2023-10-04 01:08:21 +0200
commit	7a2ee07f950f14ce482ae370d28b18de8fcbde69 (patch)
tree	b1ff69f347e10c2054f5faa019944d89990d1596 /testing
parent	cb4e8726f423a41c65ca89c8b8346b0974417940 (diff)
download	current-7a2ee07f950f14ce482ae370d28b18de8fcbde69.tar.gz current-7a2ee07f950f14ce482ae370d28b18de8fcbde69.tar.xz