Import Debian changes 2.36-9+deb12u3

ad2abc43 · Aurelien Jarno · Dylan Aïssi · ce9e9e83 · ad2abc43 · ad2abc43
Commit ad2abc43 authored 1 year ago by Aurelien Jarno Committed by Dylan Aïssi 1 year ago
--- a/debian/changelog
+++ b/debian/changelog
+glibc (2.36-9+deb12u3) bookworm-security; urgency=medium
+
+  * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the
+    dynamic loader's processing of the GLIBC_TUNABLES environment variable
+    (CVE-2023-4911).
+
+ -- Aurelien Jarno <aurel32@debian.org>  Sat, 30 Sep 2023 10:31:05 +0200
+
+glibc (2.36-9+deb12u2) bookworm; urgency=medium
+
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+    - Fix the value of F_GETLK/F_SETLK/F_SETLKW with __USE_FILE_OFFSET64 on
+      ppc64el.  Closes: #1050592.
+    - Fix a stack read overflow in getaddrinfo in no-aaaa mode
+      (CVE-2023-4527).  Closes: #1051958.
+    - Fix use after free in getcanonname (CVE-2023-4806, CVE-2023-5156).
+    - Update the x86 cacheinfo code to look at the per-thread L3 cache to
+      determine the non-temporal threshold. This improves memory and string
+      functions on modern CPUs.
+    - Fix _dl_find_object to return correct values even during early startup.
+    - Always call destructors in reverse constructor order.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Thu, 28 Sep 2023 22:50:47 +0200
+
 glibc (2.36-9+deb12u1) bookworm; urgency=medium
  
  [ Aurelien Jarno ]

--- a/debian/patches/any/local-CVE-2023-4911.patch
+++ b/debian/patches/any/local-CVE-2023-4911.patch
+From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@redhat.com>
+Date: Mon, 11 Sep 2023 18:53:15 -0400
+Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+---
+Changes from v1:
+
+- Also null-terminate tunestr before exiting.
+
+ elf/dl-tunables.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 8e7ee9df10..76cf8b9da3 100644
+--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
+@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
+	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
+      /* We reached the end while processing the tunable string.  */
+      if (p[len] == '\0')
+	break;
+
+      p += len + 1;
+     }
+
+  /* Terminate tunestr before we leave.  */
+  if (__libc_enable_secure)
+    tunestr[off] = '\0';
+ }
+ #endif
+ 
+-- 
+2.41.0
+
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -119,3 +119,4 @@ any/local-test-install.diff
 any/local-cross.patch
 any/git-floatn-gcc-13-support.diff
 any/local-disable-tst-bz29951.diff
+any/local-CVE-2023-4911.patch