CVE-2021-3326: The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 Patch: https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html
This will be in 2.33 which is out shortly but obviously we won't be stabling that for a while.
CVE-2020-27618 (https://sourceware.org/bugzilla/show_bug.cgi?id=26224): The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. Also fixed in 2.33.
(In reply to John Helmert III (ajak) from comment #0) > CVE-2021-3326: > > The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and > earlier, when processing invalid input sequences in the ISO-2022-JP-3 > encoding, fails an assertion in the code path and aborts the program, > potentially resulting in a denial of service. > > Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 > Patch: https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html fixed in gentoo 2.32 branch, tag gentoo/glibc-2.32-7 (In reply to John Helmert III (ajak) from comment #2) > CVE-2020-27618 (https://sourceware.org/bugzilla/show_bug.cgi?id=26224): > > The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and > earlier, when processing invalid multi-byte input sequences in IBM1364, > IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input > state, which could lead to an infinite loop in applications, resulting in a > denial of service, a different vulnerability from CVE-2016-10228. > > > Also fixed in 2.33. fixed in gentoo 2.32 branch, tag gentoo/glibc-2.32-3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d446edfec1019a14aa3d2bbdbdfb79845b053b0c commit d446edfec1019a14aa3d2bbdbdfb79845b053b0c Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-02-27 19:17:04 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-02-27 19:18:01 +0000 sys-libs/glibc: Bump to 2.32 patchlevel 8 Bug: https://bugs.gentoo.org/767718 Bug: https://bugs.gentoo.org/768366 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/Manifest | 1 + sys-libs/glibc/glibc-2.32-r8.ebuild | 1513 +++++++++++++++++++++++++++++++++++ 2 files changed, 1514 insertions(+)
Thank you!
Nothing to do for toolchain here anymore
New request filed
This issue was resolved and addressed in GLSA 202107-07 at https://security.gentoo.org/glsa/202107-07 by GLSA coordinator John Helmert III (ajak).