glibc/advisories/GLIBC-SA-2023-0004

tunables: local privilege escalation through buffer overflow

If a tunable of the form NAME=NAME=VAL is passed in the environment of a
setuid program and NAME is valid, it may result in a buffer overflow,
which could be exploited to achieve escalated privileges.  This flaw was
introduced in glibc 2.34.

CVE-Id: CVE-2023-4911
Public-Date: 2023-10-03
Vulnerable-Commit: 2ed18c5b534d9e92fc006202a5af0df6b72e7aca (2.34)
Fix-Commit: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa (2.39)
Fix-Commit: dcc367f148bc92e7f3778a125f7a416b093964d9 (2.34-423)
Fix-Commit: c84018a05aec80f5ee6f682db0da1130b0196aef (2.35-274)
Fix-Commit: 22955ad85186ee05834e47e665056148ca07699c (2.36-118)
Fix-Commit: b4e23c75aea756b4bddc4abcf27a1c6dca8b6bd3 (2.37-45)
Fix-Commit: 750a45a783906a19591fb8ff6b7841470f1f5701 (2.38-27)
Move CVE information into advisories directory One of the requirements to becoming a CVE Numbering Authority (CNA) is to publish advisories. Do this by maintaining a file for each CVE fixed in the advisories directory in the source tree. Links to the advisories can then be shared as: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-YYYY-NNNN The file format at the moment is rudimentary and derives from the git commit format, i.e. a subject line and a potentially multi-paragraph description and then tags to describe some meta information. This is a loose format at the moment and could change as we evolve this. Also add a script process-fixed-cves.sh that processes these advisories and generates a list to add to NEWS at release time. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> 2023-10-12 16:50:49 +00:00			`tunables: local privilege escalation through buffer overflow`

			`If a tunable of the form NAME=NAME=VAL is passed in the environment of a`
			`setuid program and NAME is valid, it may result in a buffer overflow,`
			`which could be exploited to achieve escalated privileges. This flaw was`
			`introduced in glibc 2.34.`

			`CVE-Id: CVE-2023-4911`
			`Public-Date: 2023-10-03`
			`Vulnerable-Commit: 2ed18c5b534d9e92fc006202a5af0df6b72e7aca (2.34)`
			`Fix-Commit: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa (2.39)`
Update advisory format and introduce some automation Simplify the advisory format by dropping the -Backport tags and instead stick to using just the -Commit tags. To identify backports, put a substring of git-describe into the release version in the brackets next to the commit ref. This way, it not only identifies that the fix (or regression) is on the release/2.YY/master branch, it also disambiguates regressions/fixes in the branch from those in the tarball. Add a README to make it easier for consumers to understand the format. Additionally, the Release wiki needs to be updated to inform the release manager to: 1. Generate a NEWS snipped from the advisories directory AND 2. on release/2.YY/master, replace the advisories directory with a text file pointing to the advisories directory in master so that we don't have to update multiple locations. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Andreas K. Hüttel <dilfridge@gentoo.org> 2024-01-24 18:37:20 +00:00			`Fix-Commit: dcc367f148bc92e7f3778a125f7a416b093964d9 (2.34-423)`
			`Fix-Commit: c84018a05aec80f5ee6f682db0da1130b0196aef (2.35-274)`
			`Fix-Commit: 22955ad85186ee05834e47e665056148ca07699c (2.36-118)`
			`Fix-Commit: b4e23c75aea756b4bddc4abcf27a1c6dca8b6bd3 (2.37-45)`
			`Fix-Commit: 750a45a783906a19591fb8ff6b7841470f1f5701 (2.38-27)`