wiki/docs/issues/CVE-2024-2961.md

# CVE-2024-2961: glibc

## Title

CVE-2024-2961: glibc: Out of bounds write in iconv may lead to remote code execution

## Summary

As [described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-2961):

An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. When converting from UCS4 charset, adding certain escape charterers is required to indicate where the charset was changed to the library. During this process, iconv improperly checks the boundaries of internal buffers, leading to a buffer overflow, which allows writing up to 3 bytes outside the desired memory location. This issue may allow an attacker to craft a malicious characters sequence that will trigger the out-of-bounds write and perform remote code execution, presenting a high impact to the Integrity, Confidentiality, and Availability triad.

and as [further discussed on oss-security](https://www.openwall.com/lists/oss-security/2024/04/18/4):

On PHP [this glibc bug led] to amazing results: a new exploitation technique that affects the whole PHP ecosystem.

Public disclosure date: April 17, 2024

## EL9

Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024

## EL8

Affected. We will of course rebuild upstream's fix as soon as it arrives.

## Mitigation

Support for the ISO-2022-CN-EXT character set can be excluded from glibc's iconv(3) by editing `/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf` to comment out the below 3 lines at line 1254 (same line number in EL9 and EL8) and then regenerating the cache file:

```
alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
```

These two steps can be accomplished by running the below commands as root:

```
sed -i -r 's/^(.*ISO-2022-CN-EXT.*)$/#\1/' /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
iconvconfig
```

To make sure this has worked as intended, we also recommend that you run `iconv -l | grep ISO-2022-CN-EXT` before and after the above procedure. It should list the ISO-2022-CN-EXT character set before the procedure, but produce empty output afterwards.

Finally, if you have long-running processes for which the bug matters (such as PHP-FPM), you'll need to restart those.
glibc 2.34-83.12.el9_3.security.0.5 with CVE-2024-2961 fix 2024-04-18 17:15:37 +00:00			`# CVE-2024-2961: glibc`

			`## Title`

			`CVE-2024-2961: glibc: Out of bounds write in iconv may lead to remote code execution`

			`## Summary`

			`As [described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-2961):`

			An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. When converting from UCS4 charset, adding certain escape charterers is required to indicate where the charset was changed to the library. During this process, iconv improperly checks the boundaries of internal buffers, leading to a buffer overflow, which allows writing up to 3 bytes outside the desired memory location. This issue may allow an attacker to craft a malicious characters sequence that will trigger the out-of-bounds write and perform remote code execution, presenting a high impact to the Integrity, Confidentiality, and Availability triad.

			`and as [further discussed on oss-security](https://www.openwall.com/lists/oss-security/2024/04/18/4):`

			`On PHP [this glibc bug led] to amazing results: a new exploitation technique that affects the whole PHP ecosystem.`

			`Public disclosure date: April 17, 2024`

			`## EL9`

			Fixed in version: `2.34-83.12.el9_3.security.0.5` available April 18, 2024

			`## EL8`

			`Affected. We will of course rebuild upstream's fix as soon as it arrives.`
issues/CVE-2024-2961.md: Add a mitigation 2024-04-23 13:21:32 +00:00
			`## Mitigation`

			Support for the ISO-2022-CN-EXT character set can be excluded from glibc's iconv(3) by editing `/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf` to comment out the below 3 lines at line 1254 (same line number in EL9 and EL8) and then regenerating the cache file:

			```
			`alias ISO2022CNEXT// ISO-2022-CN-EXT//`
			`module ISO-2022-CN-EXT// INTERNAL ISO-2022-CN-EXT 1`
			`module INTERNAL ISO-2022-CN-EXT// ISO-2022-CN-EXT 1`
			```

			`These two steps can be accomplished by running the below commands as root:`

			```
			`sed -i -r 's/^(.ISO-2022-CN-EXT.)$/#\1/' /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf`
			`iconvconfig`
			```

			To make sure this has worked as intended, we also recommend that you run `iconv -l \| grep ISO-2022-CN-EXT` before and after the above procedure. It should list the ISO-2022-CN-EXT character set before the procedure, but produce empty output afterwards.

			`Finally, if you have long-running processes for which the bug matters (such as PHP-FPM), you'll need to restart those.`