Bug 803437 (CVE-2021-35942)

Summary:	<sys-libs/glibc-2.33-r5 : OOB read (CVE-2021-35942)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	toolchain
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://sourceware.org/bugzilla/show_bug.cgi?id=28011
Whiteboard:	A3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	809410
Bug Blocks:

Description John Helmert III archtester

2021-07-23 00:55:45 UTC

CVE-2021-35942:

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

Unreleased patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:20:35 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:28:38 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:36:37 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:44:40 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:52:44 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:56:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:00:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:08:56 UTC

Package list is empty or all packages have requested keywords.

Comment 9 Andreas K. Hüttel archtester

2021-07-31 22:40:24 UTC

fixed in Gentoo 2.33 patchset 5

Comment 10 John Helmert III archtester

2022-08-14 05:20:43 UTC

GLSA request filed

Comment 11 Larry the Git Cow gentoo-dev

2022-08-14 14:34:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=db5361e1e42ef0dfb4d6eda6648cae61bea60edf

commit db5361e1e42ef0dfb4d6eda6648cae61bea60edf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:29:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-24 ] GNU C Library: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803437
    Bug: https://bugs.gentoo.org/807935
    Bug: https://bugs.gentoo.org/831096
    Bug: https://bugs.gentoo.org/831212
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-24.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

Comment 12 Sam James archtester

2022-08-14 14:37:50 UTC

GLSA done, all done.