Move CVE information into advisories directory

One of the requirements to becoming a CVE Numbering Authority (CNA) is
to publish advisories.  Do this by maintaining a file for each CVE fixed
in the advisories directory in the source tree.  Links to the advisories
can then be shared as:

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-YYYY-NNNN

The file format at the moment is rudimentary and derives from the git
commit format, i.e. a subject line and a potentially multi-paragraph
description and then tags to describe some meta information.  This is a
loose format at the moment and could change as we evolve this.

Also add a script process-fixed-cves.sh that processes these advisories
and generates a list to add to NEWS at release time.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
This commit is contained in:
Siddhesh Poyarekar 2023-10-12 12:50:49 -04:00
parent 3367d8e180
commit 60c57b8467
7 changed files with 125 additions and 18 deletions

22
NEWS
View File

@ -75,25 +75,11 @@ Changes to build and runtime requirements:
Security related changes:
CVE-2023-4527: If the system is configured in no-aaaa mode via
/etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
family, and a DNS response is received over TCP that is larger than
2048 bytes, getaddrinfo may potentially disclose stack contents via
the returned address data, or crash.
The following CVEs were fixed in this release, details of which can be
found in the advisories directory of the release tarball:
CVE-2023-4806: When an NSS plugin only implements the
_gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
memory that was freed during buffer resizing, potentially causing a
crash or read or write to arbitrary memory.
CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
AI_ALL and AI_V4MAPPED flags set.
CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
environment of a setuid program and NAME is valid, it may result in a
buffer overflow, which could be exploited to achieve escalated
privileges. This flaw was introduced in glibc 2.34.
[The release manager will add the list generated by
scripts/process-fixed-cves.sh just before the release.]
The following bugs are resolved with this release:

View File

@ -0,0 +1,14 @@
printf: incorrect output for integers with thousands separator and width field
When the printf family of functions is called with a format specifier
that uses an <apostrophe> (enable grouping) and a minimum width
specifier, the resulting output could be larger than reasonably expected
by a caller that computed a tight bound on the buffer size. The
resulting larger than expected output could result in a buffer overflow
in the printf family of functions.
CVE-Id: CVE-2023-25139
Public-Date: 2023-02-02
Vulnerable-Commit: e88b9f0e5cc50cab57a299dc7efe1a4eb385161d (2.37)
Fix-Commit: c980549cc6a1c03c23cc2fe3e7b0fe626a0364b0 (2.38)
Fix-Backport: 07b9521fc6369d000216b96562ff7c0ed32a16c4 (2.37)

View File

@ -0,0 +1,15 @@
getaddrinfo: Stack read overflow in no-aaaa mode
If the system is configured in no-aaaa mode via /etc/resolv.conf,
getaddrinfo is called for the AF_UNSPEC address family, and a DNS
response is received over TCP that is larger than 2048 bytes,
getaddrinfo may potentially disclose stack contents via the returned
address data, or crash.
CVE-Id: CVE-2023-4527
Public-Date: 2023-09-12
Vulnerable-Commit: f282cdbe7f436c75864e5640a409a10485e9abb2 (2.36)
Fix-Commit: bd77dd7e73e3530203be1c52c8a29d08270cb25d (2.39)
Fix-Backport: 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (2.36)
Fix-Backport: b7529346025a130fee483d42178b5c118da971bb (2.37)
Fix-Backport: b25508dd774b617f99419bdc3cf2ace4560cd2d6 (2.38)

View File

@ -0,0 +1,15 @@
getaddrinfo: Potential use-after-free
When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during buffer resizing, potentially causing a crash or read or write to
arbitrary memory.
CVE-Id: CVE-2023-4806
Public-Date: 2023-09-12
Fix-Commit: 973fe93a5675c42798b2161c6f29c01b0e243994 (2.39)
Fix-Backport: e09ee267c03e3150c2c9ba28625ab130705a485e (2.34)
Fix-Backport: e3ccb230a961b4797510e6a1f5f21fd9021853e7 (2.35)
Fix-Backport: a9728f798ec7f05454c95637ee6581afaa9b487d (2.36)
Fix-Backport: 6529a7466c935f36e9006b854d6f4e1d4876f942 (2.37)
Fix-Backport: 00ae4f10b504bc4564e9f22f00907093f1ab9338 (2.38)

View File

@ -0,0 +1,16 @@
tunables: local privilege escalation through buffer overflow
If a tunable of the form NAME=NAME=VAL is passed in the environment of a
setuid program and NAME is valid, it may result in a buffer overflow,
which could be exploited to achieve escalated privileges. This flaw was
introduced in glibc 2.34.
CVE-Id: CVE-2023-4911
Public-Date: 2023-10-03
Vulnerable-Commit: 2ed18c5b534d9e92fc006202a5af0df6b72e7aca (2.34)
Fix-Commit: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa (2.39)
Fix-Backport: dcc367f148bc92e7f3778a125f7a416b093964d9 (2.34)
Fix-Backport: c84018a05aec80f5ee6f682db0da1130b0196aef (2.35)
Fix-Backport: 22955ad85186ee05834e47e665056148ca07699c (2.36)
Fix-Backport: b4e23c75aea756b4bddc4abcf27a1c6dca8b6bd3 (2.37)
Fix-Backport: 750a45a783906a19591fb8ff6b7841470f1f5701 (2.38)

View File

@ -0,0 +1,20 @@
getaddrinfo: DoS due to memory leak
The fix for CVE-2023-4806 introduced a memory leak when an application
calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED
flags set.
CVE-Id: CVE-2023-5156
Public-Date: 2023-09-25
Vulnerable-Commit: 973fe93a5675c42798b2161c6f29c01b0e243994 (pre-2.39)
Fix-Commit: ec6b95c3303c700eb89eebeda2d7264cc184a796 (2.39)
Vulnerable-Backport: e09ee267c03e3150c2c9ba28625ab130705a485e (2.34)
Vulnerable-Backport: e3ccb230a961b4797510e6a1f5f21fd9021853e7 (2.35)
Vulnerable-Backport: a9728f798ec7f05454c95637ee6581afaa9b487d (2.36)
Vulnerable-Backport: 6529a7466c935f36e9006b854d6f4e1d4876f942 (2.37)
Vulnerable-Backport: 00ae4f10b504bc4564e9f22f00907093f1ab9338 (2.38)
Fix-Backport: 8006457ab7e1cd556b919f477348a96fe88f2e49 (2.34)
Fix-Backport: 17092c0311f954e6f3c010f73ce3a78c24ac279a (2.35)
Fix-Backport: 856bac55f98dc840e7c27cfa82262b933385de90 (2.36)
Fix-Backport: 4473d1b87d04b25cdd0e0354814eeaa421328268 (2.37)
Fix-Backport: 5ee59ca371b99984232d7584fe2b1a758b4421d3 (2.38)

41
scripts/process-fixed-cves.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash -e
# Copyright The GNU Toolchain Authors.
# This file is part of the GNU C Library.
#
# The GNU C Library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# The GNU C Library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with the GNU C Library; if not, see
# <https://www.gnu.org/licenses/>.
if ! [ -d advisories ]; then
echo "error: Run me from the toplevel directory of the glibc repository."
exit 1
fi
release=$(echo RELEASE | gcc -E -include version.h -o - - | grep -v "^#")
minor=$(echo __GLIBC_MINOR__ | gcc -E -include include/features.h -o - - |
grep -v "^#")
if [ $release = "\"development\"" ]; then
cur_rel=2.$((minor + 1))
else
cur_rel=2.$minor
fi
for f in $(grep -l "^Fix-Commit: .* ($cur_rel)$" advisories/*); do
echo -e " $(basename $f):"
cve_id=$(sed -n 's/CVE-Id: \(.*\)/\1/p' $f)
echo "$(head -1 $f) ($cve_id)" | fold -w 68 -s | while read line; do
echo " $line"
done
echo
done