Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[staging] glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables" #258857

Closed
wants to merge 1 commit into from
Closed

[staging] glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables" #258857

wants to merge 1 commit into from

Conversation

ghost
Copy link

@ghost ghost commented Oct 3, 2023
edited by ghost
Loading

Description of changes

  • Reported by Qualys. Advisory, which notes that:

historically, the processing of environment variables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a fertile source of vulnerabilities in the dynamic loader."

  • There is a working exploit.

  • Upstream fix commit

Things done

  • Built on platform(s)
    • x86_64-linux
    • powerpc64le-linux
    • mips64el-linux
    • aarch64-linux

See also

@ghost ghost added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-23.05 labels Oct 3, 2023
@ghost ghost marked this pull request as ready for review October 3, 2023 20:17
@ghost ghost mentioned this pull request Oct 3, 2023
Closed
4 tasks
@ghost ghost changed the title glibc: apply upstream patch for CVE-2023-4911 (staging) glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables" (staging) Oct 3, 2023
@ofborg ofborg bot added the 10.rebuild-linux-stdenv This PR causes stdenv to rebuild label Oct 3, 2023
@ofborg ofborg bot requested review from Ma27 and edolstra October 3, 2023 22:03
Ma27
Ma27 requested changes Oct 3, 2023
View reviewed changes
Copy link
Member

@Ma27 Ma27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the patch tarball. The patch is already on the 2.38 & 2.37 release branch, so we can just update the patchlevel.

Also, this has the side-effect that we'd also fix https://nvd.nist.gov/vuln/detail/CVE-2023-5156 (which I just learned about while checking the diff from 2.38 on staging and now).

@fabianhjr fabianhjr changed the title glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables" (staging) [staging] glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables" Oct 3, 2023
@ghost
Copy link
Author

ghost commented Oct 3, 2023
edited by ghost
Loading

The patch is already on the 2.38 & 2.37 release branch, so we can just update the patchlevel.

Then what gets backported to 23.05? Are we going to backport the upgrade? Seems like a pretty major change for the stable branch.

I mean sure, we should update the patch tarball, but if we do that first there is no way to reference a single commit to backport only the fix.

@ghost
Copy link
Author

ghost commented Oct 3, 2023
edited by ghost
Loading

Also, this has the side-effect that we'd also fix https://nvd.nist.gov/vuln/detail/CVE-2023-5156

Our current master-branch glibc expression is not affected by CVE-2023-5156.

The bug which causes CVE-2023-5156 was introduced in an attempt to fix CVE-2023-4806. The latter CVE (CVE-2023-4806) only affects a very small class of custom NSS plugins that implement nss_gethostbyname2_r but don't implement nss_gethostbyname3_r. NixOS uses nscd, which does implement nss_gethostbyname3_r. It's also not clear that CVE-2023-4806 is exploitable.

@Ma27
Copy link
Member

Ma27 commented Oct 4, 2023

Then what gets backported to 23.05? Are we going to backport the upgrade? Seems like a pretty major change for the stable branch.

Both 2.37 (what we have on 23.05) & 2.38 (what we have on staging) have the fix in their release branches, so we can update the patchlevel again.

@flokli
Copy link
Contributor

flokli commented Oct 4, 2023

@Ma27 would you mind opening new PRs for staging unstable and staging stable?

@edef1c edef1c mentioned this pull request Oct 4, 2023
Merged
12 tasks
@edef1c
Copy link
Member

edef1c commented Oct 4, 2023

@Ma27 would you mind opening new PRs for staging unstable and staging stable?

Covered: #258972 (unstable) and #258975 (stable)

@flokli
Copy link
Contributor

flokli commented Oct 4, 2023

Closing this in favor of #258972 (backport PR #258975).

It contains a patchlevel update.

@flokli flokli closed this Oct 4, 2023
@ghost ghost deleted the cve-2023-4911-staging branch January 23, 2024 06:44
@Artturin Artturin mentioned this pull request Jan 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra Awaiting requested review from edolstra

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 11-100 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 10.rebuild-linux-stdenv This PR causes stdenv to rebuild
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ma27 @flokli @edef1c