831096 – (CVE-2021-3998) <sys-libs/glibc-{2.33-r9, 2.34-r7}: Unexpected return value from realpath() for too long results (CVE-2021-3998)

Bug 831096 (CVE-2021-3998) - <sys-libs/glibc-{2.33-r9, 2.34-r7}: Unexpected return value from realpath() for too long results (CVE-2021-3998)

Summary: <sys-libs/glibc-{2.33-r9, 2.34-r7}: Unexpected return value from realpath() f...

Status:	RESOLVED FIXED

Alias:	CVE-2021-3998

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://sourceware.org/bugzilla/show_...
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	CVE-2021-3999, CVE-2022-23218, CVE-2022-23219
Blocks:
	Show dependency tree

Reported:	2022-01-13 05:45 UTC by Sam James
Modified:	2022-08-14 14:41 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2021-3999, CVE-2022-23218, CVE-2022-23219
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-01-13 05:45:50 UTC

Description (from upstream bug):
"When the resolved_path argument for realpath is non-NULL and the result is longer than PATH_MAX, the return value is an allocated string instead of resolved_path, which may result in a memory leak since the caller expects resolved_path.

Another problem with this behaviour is that if the caller uses resolved_path instead of the return value from realpath; it may potentially end up using uninitialized memory.

The expected behaviour in case of result being greater than PATH_MAX is to return NULL and set ENAMETOOLONG."

Patch (obviously we'll wait until it's backported): https://marc.info/?l=glibc-alpha&m=164205246222498&w=2

Comment 1 Larry the Git Cow gentoo-dev

2022-01-25 13:13:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32cacd85af01e3a00b5fbe4d121c70db56f3e4be

commit 32cacd85af01e3a00b5fbe4d121c70db56f3e4be
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-01-25 13:11:59 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-01-25 13:13:06 +0000

    sys-libs/glibc: 2.33 patchlevel 7 bump
    
    Includes fixes for CVE-2021-3998, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219
    
    Bug: https://bugs.gentoo.org/831212
    Bug: https://bugs.gentoo.org/831096
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 sys-libs/glibc/Manifest                                       | 1 +
 sys-libs/glibc/{glibc-2.33-r8.ebuild => glibc-2.33-r9.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

Comment 2 John Helmert III archtester

2022-08-14 05:20:45 UTC

GLSA request filed

Comment 3 Larry the Git Cow gentoo-dev

2022-08-14 14:34:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=db5361e1e42ef0dfb4d6eda6648cae61bea60edf

commit db5361e1e42ef0dfb4d6eda6648cae61bea60edf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:29:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-24 ] GNU C Library: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803437
    Bug: https://bugs.gentoo.org/807935
    Bug: https://bugs.gentoo.org/831096
    Bug: https://bugs.gentoo.org/831212
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-24.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

Comment 4 Sam James archtester

2022-08-14 14:37:53 UTC

GLSA done, all done.