Bug#1053419: unblock: glibc/2.37-12

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1053419: unblock: glibc/2.37-12
From: Aurelien Jarno <aurel32@debian.org>
Date: Tue, 03 Oct 2023 21:14:36 +0200
Message-id: <[🔎] 169636047649.4023676.6968626972106100794.reportbug@ohm.local>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 1053419@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: security
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: glibc@packages.debian.org
Control: affects -1 + src:glibc

[ Reason ]
glibc/2.37-12 fixes a local root vulnerability, I believe the package
should migrate as soon as the possible in testing, bypassing the debci
tests.

[ Impact ]
Users of testing will be left with a local root vulnerability.

[ Tests ]
The testsuite has been updated to check for the security issue. In
addition manual testing has been done to confirm the security
vulnerability has been fixed.

[ Risks ]
The diff between glibc/2.37-11 and glibc/2.37-12 are minimal, with the
exception of XFAILing a test on hurd-i386, and slightly adjusting the
allowed accuracy in the test of the y0_towardzero function.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Without packages with flaky autopkgtests, glibc/2.37-11 should have been
in testing for a few days already, so I have considered that version as
a basis for filling this unblock.

diff --git a/debian/changelog b/debian/changelog
index deca040f..c3f116c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+glibc (2.37-12) unstable; urgency=critical
+
+  [ Samuel Thibault ]
+  * debian/testsuite-xfail-debian.mk: Update xfails for hurd-i386.
+
+  [ Aurelien Jarno ]
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+    - Fix a buffer overflow in the dynamic loader's processing of the
+      GLIBC_TUNABLES environment variable (CVE-2023-4911).
+  * Set urgency to critical given the security issue.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Tue, 03 Oct 2023 19:14:06 +0200
+
 glibc (2.37-11) unstable; urgency=medium
 
   [ Samuel Thibault ]
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index d8549680..ecaf3162 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,10 @@
 GIT update of https://sourceware.org/git/glibc.git/release/2.37/master from glibc-2.37
 
 diff --git a/NEWS b/NEWS
-index ad5196a5f1..3725cc4820 100644
+index ad5196a5f1..b351537a78 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,50 @@ See the end for copying conditions.
+@@ -5,6 +5,55 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <https://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -34,6 +34,11 @@ index ad5196a5f1..3725cc4820 100644
 +  an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
 +  AI_ALL and AI_V4MAPPED flags set.
 +
++  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
++  environment of a setuid program and NAME is valid, it may result in a
++  buffer overflow, which could be exploited to achieve escalated
++  privileges.  This flaw was introduced in glibc 2.34.
++
 +The following bugs are resolved with this release:
 +
 +  [20975] Deferred cancellation triggers in __check_pf and looses lock leading to deadlock
@@ -55,7 +60,7 @@ index ad5196a5f1..3725cc4820 100644
  Version 2.37
  
  Major new features:
-@@ -105,6 +149,8 @@ The following bugs are resolved with this release:
+@@ -105,6 +154,8 @@ The following bugs are resolved with this release:
      coincides with offset change
    [30039] stdio: __vsprintf_internal does not handle unspecified buffer
      length in fortify mode
@@ -638,6 +643,42 @@ index d35a725415..32a8bfcf74 100644
  #endif
  
        /* Store the result for later runs.  */
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 327b9eb52f..985b69c180 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ #endif
+ 
 diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
 index a685f5cdbc..695ba7192e 100644
 --- a/elf/dl-tunables.list
@@ -999,6 +1040,97 @@ index f6ab991398..f6dfbbe202 100644
    /* Verify that dlmopen creates a new namespace.  */
    void *dlmopen_handle = xdlmopen (LM_ID_NEWLM, LIBC_SO, RTLD_NOW);
    TEST_VERIFY (dlmopen_handle != handle);
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 807b426012..1f5e7f4f06 100644
+--- a/elf/tst-env-setuid-tunables.c
++++ b/elf/tst-env-setuid-tunables.c
+@@ -52,6 +52,8 @@ const char *teststrings[] =
+   "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+   "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+   "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.check=2",
+   "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+   "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+   ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -70,6 +72,8 @@ const char *resultstrings[] =
+   "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "",
+   "",
+   "",
+   "",
+@@ -84,11 +88,18 @@ test_child (int off)
+   const char *val = getenv ("GLIBC_TUNABLES");
+ 
+ #if HAVE_TUNABLES
++  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
++  fflush (stdout);
+   if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+     return 0;
+ 
+   if (val != NULL)
+-    printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
++    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
++	    off, val, resultstrings[off]);
++  else
++    printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
++
++  fflush (stdout);
+ 
+   return 1;
+ #else
+@@ -117,21 +128,26 @@ do_test (int argc, char **argv)
+       if (ret != 0)
+ 	exit (1);
+ 
+-      exit (EXIT_SUCCESS);
++      /* Special return code to make sure that the child executed all the way
++	 through.  */
++      exit (42);
+     }
+   else
+     {
+-      int ret = 0;
+-
+       /* Spawn tests.  */
+       for (int i = 0; i < array_length (teststrings); i++)
+ 	{
+ 	  char buf[INT_BUFSIZE_BOUND (int)];
+ 
+-	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
++	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ 	  snprintf (buf, sizeof (buf), "%d\n", i);
++	  fflush (stdout);
+ 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+-	    exit (1);
++	    {
++	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
++	      support_record_failure ();
++	      continue;
++	    }
+ 
+ 	  int status = support_capture_subprogram_self_sgid (buf);
+ 
+@@ -139,9 +155,14 @@ do_test (int argc, char **argv)
+ 	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ 	    return EXIT_UNSUPPORTED;
+ 
+-	  ret |= status;
++	  if (WEXITSTATUS (status) != 42)
++	    {
++	      printf ("    [%d] child failed with status %d\n", i,
++		      WEXITSTATUS (status));
++	      support_record_failure ();
++	    }
+ 	}
+-      return ret;
++      return 0;
+     }
+ }
+ 
 diff --git a/elf/tst-ldconfig-p.sh b/elf/tst-ldconfig-p.sh
 new file mode 100644
 index 0000000000..ec937bf4ec
@@ -2982,6 +3114,19 @@ index 66b3ff9763..28daf3f89b 100644
 -#define DL_FIXUP_BINDNOW_RELOC(value, new_value, st_value)	\
 +#define DL_FIXUP_BINDNOW_RELOC(l, reloc, value, new_value, st_value, lazy) \
    *(value) = *(DL_FIXUP_VALUE_TYPE *) ((uintptr_t) (new_value) & ~2)
+diff --git a/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps b/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps
+index 8705a7822c..6f50cec761 100644
+--- a/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps
++++ b/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps
+@@ -1617,7 +1617,7 @@ ldouble: 5
+ 
+ Function: "y0_towardzero":
+ double: 4
+-float: 8
++float: 9
+ float128: 3
+ ldouble: 8
+ 
 diff --git a/sysdeps/ia64/dl-lookupcfg.h b/sysdeps/ia64/dl-lookupcfg.h
 index 0e47e529fe..64218fa7bb 100644
 --- a/sysdeps/ia64/dl-lookupcfg.h
diff --git a/debian/testsuite-xfail-debian.mk b/debian/testsuite-xfail-debian.mk
index 51217bc6..718daa30 100644
--- a/debian/testsuite-xfail-debian.mk
+++ b/debian/testsuite-xfail-debian.mk
@@ -375,6 +375,7 @@ test-xfail-tst-nss-gai-actions = yes
 # new in 2.37
 test-xfail-tst-fcntl-lock = yes
 test-xfail-tst-fcntl-lock-lfs = yes
+test-xfail-tst-nss-gai-hv2-canonname = yes
 
 # missing RLIMIT_AS support
 test-xfail-tst-vfprintf-width-prec-mem = yes

Reply to:

Follow-Ups:
- Processed: unblock: glibc/2.37-12
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1053419: marked as done (unblock: glibc/2.37-12)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: glibc/2.37-12
Next by Date: Bug#1053419: marked as done (unblock: glibc/2.37-12)
Previous by thread: Bug#1006292: bullseye-pu: package plasma-discover/5.20.5-3
Next by thread: Processed: unblock: glibc/2.37-12
Index(es):
- Date
- Thread