Merge pull request 'glibc 2.34-83.12.el9_3.security.0.5 with CVE-2024-2961 fix' (#30) from solardiz-patch-28 into main

Reviewed-on: security/wiki#30
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
Neil Hanlon 2024-04-18 18:58:19 +00:00
commit ea9aee0a60
3 changed files with 42 additions and 2 deletions

View File

@ -0,0 +1,25 @@
# CVE-2024-2961: glibc
## Title
CVE-2024-2961: glibc: Out of bounds write in iconv may lead to remote code execution
## Summary
As [described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-2961):
An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. When converting from UCS4 charset, adding certain escape charterers is required to indicate where the charset was changed to the library. During this process, iconv improperly checks the boundaries of internal buffers, leading to a buffer overflow, which allows writing up to 3 bytes outside the desired memory location. This issue may allow an attacker to craft a malicious characters sequence that will trigger the out-of-bounds write and perform remote code execution, presenting a high impact to the Integrity, Confidentiality, and Availability triad.
and as [further discussed on oss-security](https://www.openwall.com/lists/oss-security/2024/04/18/4):
On PHP [this glibc bug led] to amazing results: a new exploitation technique that affects the whole PHP ecosystem.
Public disclosure date: April 17, 2024
## EL9
Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024
## EL8
Affected. We will of course rebuild upstream's fix as soon as it arrives.

View File

@ -2,6 +2,13 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## April 18, 2024
Our hardened EL9 [glibc](packages/glibc.md) updated to include glibc upstream fix for [CVE-2024-2961](issues/CVE-2024-2961.md),
which we now have a status page on.
The status page on [CVE-2024-1086](issues/CVE-2024-1086.md) has been updated to refer to EL8 fix and errata, suggest disabling network namespaces, explain remaining risks with LKRG.
## March 28, 2024 ## March 28, 2024
We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md), We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md),

View File

@ -2,8 +2,8 @@
## EL9 ## EL9
- Version `2.34-83.7.el9_3.security.0.4` - Version `2.34-83.12.el9_3.security.0.5`
- Based on `2.34-83.el9.7` - Based on `2.34-83.el9.12`
### Changes summary ### Changes summary
@ -17,6 +17,8 @@
#### Known-effective vulnerability mitigations and fixes #### Known-effective vulnerability mitigations and fixes
`2.34-83.12.el9_3.security.0.5` includes `iconv(3)` ISO-2022-CN-EXT [CVE-2024-2961](../issues/CVE-2024-2961.md) fix from upstream glibc 2.34 branch.
`2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more). `2.34-60.el9_2.security.0.2` included mitigations sufficient to avoid security exposure of [CVE-2023-4911](../issues/CVE-2023-4911.md) and a backport of upstream glibc fix of [CVE-2023-4527](https://www.openwall.com/lists/oss-security/2023/09/25/1) that was not yet in upstream EL. In the update to `2.34-60.7.el9_2.security.0.3` and beyond, we retained the mitigations while rebasing on upstream EL's package with upstream fixes for these vulnerabilities (and more).
In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on. In general, inclusion of additional security fixes will be "reverted" if and when those get included in upstream EL packages that we rebase our changes on.
@ -24,6 +26,12 @@ In general, inclusion of additional security fixes will be "reverted" if and whe
### Change log ### Change log
``` ```
* Thu Apr 18 2024 Solar Designer <solar@openwall.com> - 2.34-83.12.el9.security.0.5
- Rebase on 2.34-83.12
- Add iconv() ISO-2022-CN-EXT CVE-2024-2961 fix from upstream glibc 2.34 branch
[... upstream changes ...]
* Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4 * Wed Jan 31 2024 Solar Designer <solar@openwall.com> - 2.34-83.7.el9.security.0.4
- Harden syslog ident fallback initialization to use at most 64 characters of - Harden syslog ident fallback initialization to use at most 64 characters of
__progname when __libc_enable_secure, as inspired by Qualys' discovery of __progname when __libc_enable_secure, as inspired by Qualys' discovery of