CVE-2021-38604: In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix. Patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8
We're waiting for news on a backport.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7fb14f0b1a2d1e590437487be9a6a2c278aafd60 commit 7fb14f0b1a2d1e590437487be9a6a2c278aafd60 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-08-18 18:00:28 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-08-18 18:01:02 +0000 sys-libs/glibc: Bump 2.34 patchlevel to 2 (unkeyworded) Bug: https://bugs.gentoo.org/807935 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/Manifest | 2 +- sys-libs/glibc/glibc-2.34.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c150cdb5bc5d9fc84079cc764957b7823c3bf43 commit 8c150cdb5bc5d9fc84079cc764957b7823c3bf43 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-08-18 17:56:02 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-08-18 18:00:55 +0000 sys-libs/glibc: 2.33 revision/patchlevel 6 bump Bug: https://bugs.gentoo.org/807935 Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/Manifest | 1 + sys-libs/glibc/glibc-2.33-r7.ebuild | 1551 +++++++++++++++++++++++++++++++++++ 2 files changed, 1552 insertions(+)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=db5361e1e42ef0dfb4d6eda6648cae61bea60edf commit db5361e1e42ef0dfb4d6eda6648cae61bea60edf Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 14:29:01 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 14:33:57 +0000 [ GLSA 202208-24 ] GNU C Library: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803437 Bug: https://bugs.gentoo.org/807935 Bug: https://bugs.gentoo.org/831096 Bug: https://bugs.gentoo.org/831212 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-24.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+)
GLSA done, all done.