Package: release.debian.org
Severity: normal
Tags: security
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: gl...@packages.debian.org
Control: affects -1 + src:glibc
[ Reason ]
glibc/2.37-12 fixes a local root vulnerability, I believe the package
should migrate as soon as the possible in testing, bypassing the debci
tests.
[ Impact ]
Users of testing will be left with a local root vulnerability.
[ Tests ]
The testsuite has been updated to check for the security issue. In
addition manual testing has been done to confirm the security
vulnerability has been fixed.
[ Risks ]
The diff between glibc/2.37-11 and glibc/2.37-12 are minimal, with the
exception of XFAILing a test on hurd-i386, and slightly adjusting the
allowed accuracy in the test of the y0_towardzero function.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Without packages with flaky autopkgtests, glibc/2.37-11 should have been
in testing for a few days already, so I have considered that version as
a basis for filling this unblock.
diff --git a/debian/changelog b/debian/changelog
index deca040f..c3f116c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+glibc (2.37-12) unstable; urgency=critical
+
+ [ Samuel Thibault ]
+ * debian/testsuite-xfail-debian.mk: Update xfails for hurd-i386.
+
+ [ Aurelien Jarno ]
+ * debian/patches/git-updates.diff: update from upstream stable branch:
+ - Fix a buffer overflow in the dynamic loader's processing of the
+ GLIBC_TUNABLES environment variable (CVE-2023-4911).
+ * Set urgency to critical given the security issue.
+
+ -- Aurelien Jarno <aure...@debian.org> Tue, 03 Oct 2023 19:14:06 +0200
+
glibc (2.37-11) unstable; urgency=medium
[ Samuel Thibault ]
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index d8549680..ecaf3162 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,10 @@
GIT update of https://sourceware.org/git/glibc.git/release/2.37/master from
glibc-2.37
diff --git a/NEWS b/NEWS
-index ad5196a5f1..3725cc4820 100644
+index ad5196a5f1..b351537a78 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,50 @@ See the end for copying conditions.
+@@ -5,6 +5,55 @@ See the end for copying conditions.
Please send GNU C library bug reports via <https://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
�
@@ -34,6 +34,11 @@ index ad5196a5f1..3725cc4820 100644
+ an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+ AI_ALL and AI_V4MAPPED flags set.
+
++ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
++ environment of a setuid program and NAME is valid, it may result in a
++ buffer overflow, which could be exploited to achieve escalated
++ privileges. This flaw was introduced in glibc 2.34.
++
+The following bugs are resolved with this release:
+
+ [20975] Deferred cancellation triggers in __check_pf and looses lock
leading to deadlock
@@ -55,7 +60,7 @@ index ad5196a5f1..3725cc4820 100644
Version 2.37
Major new features:
-@@ -105,6 +149,8 @@ The following bugs are resolved with this release:
+@@ -105,6 +154,8 @@ The following bugs are resolved with this release:
coincides with offset change
[30039] stdio: __vsprintf_internal does not handle unspecified buffer
length in fortify mode
@@ -638,6 +643,42 @@ index d35a725415..32a8bfcf74 100644
#endif
/* Store the result for later runs. */
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 327b9eb52f..985b69c180 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
+ /* If we reach the end of the string before getting a valid name-value
+ pair, bail out. */
+ if (p[len] == '\0')
+- {
+- if (__libc_enable_secure)
+- tunestr[off] = '\0';
+- return;
+- }
++ break;
+
+ /* We did not find a valid name-value pair before encountering the
+ colon. */
+@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
+ }
+ }
+
+- if (p[len] != '\0')
+- p += len + 1;
++ /* We reached the end while processing the tunable string. */
++ if (p[len] == '\0')
++ break;
++
++ p += len + 1;
+ }
++
++ /* Terminate tunestr before we leave. */
++ if (__libc_enable_secure)
++ tunestr[off] = '\0';
+ }
+ #endif
+
diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list
index a685f5cdbc..695ba7192e 100644
--- a/elf/dl-tunables.list
@@ -999,6 +1040,97 @@ index f6ab991398..f6dfbbe202 100644
/* Verify that dlmopen creates a new namespace. */
void *dlmopen_handle = xdlmopen (LM_ID_NEWLM, LIBC_SO, RTLD_NOW);
TEST_VERIFY (dlmopen_handle != handle);
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 807b426012..1f5e7f4f06 100644
+--- a/elf/tst-env-setuid-tunables.c
++++ b/elf/tst-env-setuid-tunables.c
+@@ -52,6 +52,8 @@ const char *teststrings[] =
+
"glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+ "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+ "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++ "glibc.malloc.check=2",
+
"glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+
"glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+ ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -70,6 +72,8 @@ const char *resultstrings[] =
+ "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+ "glibc.malloc.mmap_threshold=4096",
+ "glibc.malloc.mmap_threshold=4096",
++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++ "",
+ "",
+ "",
+ "",
+@@ -84,11 +88,18 @@ test_child (int off)
+ const char *val = getenv ("GLIBC_TUNABLES");
+
+ #if HAVE_TUNABLES
++ printf (" [%d] GLIBC_TUNABLES is %s\n", off, val);
++ fflush (stdout);
+ if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+ return 0;
+
+ if (val != NULL)
+- printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
++ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
++ off, val, resultstrings[off]);
++ else
++ printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off);
++
++ fflush (stdout);
+
+ return 1;
+ #else
+@@ -117,21 +128,26 @@ do_test (int argc, char **argv)
+ if (ret != 0)
+ exit (1);
+
+- exit (EXIT_SUCCESS);
++ /* Special return code to make sure that the child executed all the way
++ through. */
++ exit (42);
+ }
+ else
+ {
+- int ret = 0;
+-
+ /* Spawn tests. */
+ for (int i = 0; i < array_length (teststrings); i++)
+ {
+ char buf[INT_BUFSIZE_BOUND (int)];
+
+- printf ("Spawned test for %s (%d)\n", teststrings[i], i);
++ printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ snprintf (buf, sizeof (buf), "%d\n", i);
++ fflush (stdout);
+ if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+- exit (1);
++ {
++ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i);
++ support_record_failure ();
++ continue;
++ }
+
+ int status = support_capture_subprogram_self_sgid (buf);
+
+@@ -139,9 +155,14 @@ do_test (int argc, char **argv)
+ if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ return EXIT_UNSUPPORTED;
+
+- ret |= status;
++ if (WEXITSTATUS (status) != 42)
++ {
++ printf (" [%d] child failed with status %d\n", i,
++ WEXITSTATUS (status));
++ support_record_failure ();
++ }
+ }
+- return ret;
++ return 0;
+ }
+ }
+
diff --git a/elf/tst-ldconfig-p.sh b/elf/tst-ldconfig-p.sh
new file mode 100644
index 0000000000..ec937bf4ec
@@ -2982,6 +3114,19 @@ index 66b3ff9763..28daf3f89b 100644
-#define DL_FIXUP_BINDNOW_RELOC(value, new_value, st_value) \
+#define DL_FIXUP_BINDNOW_RELOC(l, reloc, value, new_value, st_value, lazy) \
*(value) = *(DL_FIXUP_VALUE_TYPE *) ((uintptr_t) (new_value) & ~2)
+diff --git a/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps
b/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps
+index 8705a7822c..6f50cec761 100644
+--- a/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps
++++ b/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps
+@@ -1617,7 +1617,7 @@ ldouble: 5
+
+ Function: "y0_towardzero":
+ double: 4
+-float: 8
++float: 9
+ float128: 3
+ ldouble: 8
+
diff --git a/sysdeps/ia64/dl-lookupcfg.h b/sysdeps/ia64/dl-lookupcfg.h
index 0e47e529fe..64218fa7bb 100644
--- a/sysdeps/ia64/dl-lookupcfg.h
diff --git a/debian/testsuite-xfail-debian.mk b/debian/testsuite-xfail-debian.mk
index 51217bc6..718daa30 100644
--- a/debian/testsuite-xfail-debian.mk
+++ b/debian/testsuite-xfail-debian.mk
@@ -375,6 +375,7 @@ test-xfail-tst-nss-gai-actions = yes
# new in 2.37
test-xfail-tst-fcntl-lock = yes
test-xfail-tst-fcntl-lock-lfs = yes
+test-xfail-tst-nss-gai-hv2-canonname = yes
# missing RLIMIT_AS support
test-xfail-tst-vfprintf-width-prec-mem = yes
