Skip to content

[staging] glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables"#258857

Closed
ghost wants to merge 1 commit intostagingfrom
unknown repository
Closed

[staging] glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables"#258857
ghost wants to merge 1 commit intostagingfrom
unknown repository

Conversation

@ghost
Copy link
Copy Markdown

@ghost ghost commented Oct 3, 2023
edited by ghost
Loading

Description of changes

  • Reported by Qualys. Advisory, which notes that:

historically, the processing of environment variables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a fertile source of vulnerabilities in the dynamic loader."

  • There is a working exploit.

  • Upstream fix commit

Things done

  • Built on platform(s)
    • x86_64-linux
    • powerpc64le-linux
    • mips64el-linux
    • aarch64-linux

See also

@ghost ghost added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-23.05 labels Oct 3, 2023
@ghost ghost marked this pull request as ready for review October 3, 2023 20:17
@ghost ghost mentioned this pull request Oct 3, 2023
Closed
4 tasks
@ghost ghost changed the title glibc: apply upstream patch for CVE-2023-4911 (staging) glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables" (staging) Oct 3, 2023
@ofborg ofborg bot added the 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. label Oct 3, 2023
@ofborg ofborg bot requested review from Ma27 and edolstra October 3, 2023 22:03
@ofborg ofborg bot added 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Oct 3, 2023
Ma27
Ma27 requested changes Oct 3, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@Ma27 Ma27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the patch tarball. The patch is already on the 2.38 & 2.37 release branch, so we can just update the patchlevel.

Also, this has the side-effect that we'd also fix https://nvd.nist.gov/vuln/detail/CVE-2023-5156 (which I just learned about while checking the diff from 2.38 on staging and now).

@fabianhjr fabianhjr changed the title glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables" (staging) [staging] glibc: cherry-pick fix for CVE-2023-4911 "Looney Tunables" Oct 3, 2023
@ghost
Copy link
Copy Markdown
Author

ghost commented Oct 3, 2023
edited by ghost
Loading

The patch is already on the 2.38 & 2.37 release branch, so we can just update the patchlevel.

Then what gets backported to 23.05? Are we going to backport the upgrade? Seems like a pretty major change for the stable branch.

I mean sure, we should update the patch tarball, but if we do that first there is no way to reference a single commit to backport only the fix.

@ghost
Copy link
Copy Markdown
Author

ghost commented Oct 3, 2023
edited by ghost
Loading

Also, this has the side-effect that we'd also fix https://nvd.nist.gov/vuln/detail/CVE-2023-5156

Our current master-branch glibc expression is not affected by CVE-2023-5156.

The bug which causes CVE-2023-5156 was introduced in an attempt to fix CVE-2023-4806. The latter CVE (CVE-2023-4806) only affects a very small class of custom NSS plugins that implement nss_gethostbyname2_r but don't implement nss_gethostbyname3_r. NixOS uses nscd, which does implement nss_gethostbyname3_r. It's also not clear that CVE-2023-4806 is exploitable.

@Ma27
Copy link
Copy Markdown
Member

Ma27 commented Oct 4, 2023

Then what gets backported to 23.05? Are we going to backport the upgrade? Seems like a pretty major change for the stable branch.

Both 2.37 (what we have on 23.05) & 2.38 (what we have on staging) have the fix in their release branches, so we can update the patchlevel again.

@flokli
Copy link
Copy Markdown
Member

flokli commented Oct 4, 2023

@Ma27 would you mind opening new PRs for staging unstable and staging stable?

@edef1c edef1c mentioned this pull request Oct 4, 2023
Merged
12 tasks
@edef1c
Copy link
Copy Markdown
Member

edef1c commented Oct 4, 2023

@Ma27 would you mind opening new PRs for staging unstable and staging stable?

Covered: #258972 (unstable) and #258975 (stable)

@flokli
Copy link
Copy Markdown
Member

flokli commented Oct 4, 2023

Closing this in favor of #258972 (backport PR #258975).

It contains a patchlevel update.

@flokli flokli closed this Oct 4, 2023
@ghost ghost deleted the cve-2023-4911-staging branch January 23, 2024 06:44
@Artturin Artturin mentioned this pull request Jan 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edolstra edolstra Awaiting requested review from edolstra

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ma27 @flokli @edef1c