Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 831096 (CVE-2021-3998)

Summary: <sys-libs/glibc-{2.33-r9, 2.34-r7}: Unexpected return value from realpath() for too long results (CVE-2021-3998)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=28770
See Also: https://bugs.gentoo.org/show_bug.cgi?id=831212
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 831212    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-13 05:45:50 UTC 
Description (from upstream bug):
"When the resolved_path argument for realpath is non-NULL and the result is longer than PATH_MAX, the return value is an allocated string instead of resolved_path, which may result in a memory leak since the caller expects resolved_path.

Another problem with this behaviour is that if the caller uses resolved_path instead of the return value from realpath; it may potentially end up using uninitialized memory.

The expected behaviour in case of result being greater than PATH_MAX is to return NULL and set ENAMETOOLONG."

Patch (obviously we'll wait until it's backported): https://marc.info/?l=glibc-alpha&m=164205246222498&w=2
Comment 1 Larry the Git Cow gentoo-dev 2022-01-25 13:13:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32cacd85af01e3a00b5fbe4d121c70db56f3e4be

commit 32cacd85af01e3a00b5fbe4d121c70db56f3e4be
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-01-25 13:11:59 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-01-25 13:13:06 +0000

    sys-libs/glibc: 2.33 patchlevel 7 bump
    
    Includes fixes for CVE-2021-3998, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219
    
    Bug: https://bugs.gentoo.org/831212
    Bug: https://bugs.gentoo.org/831096
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 sys-libs/glibc/Manifest                                       | 1 +
 sys-libs/glibc/{glibc-2.33-r8.ebuild => glibc-2.33-r9.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 05:20:45 UTC 
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2022-08-14 14:34:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=db5361e1e42ef0dfb4d6eda6648cae61bea60edf

commit db5361e1e42ef0dfb4d6eda6648cae61bea60edf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:29:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-24 ] GNU C Library: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803437
    Bug: https://bugs.gentoo.org/807935
    Bug: https://bugs.gentoo.org/831096
    Bug: https://bugs.gentoo.org/831212
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-24.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 14:37:53 UTC 
GLSA done, all done.