Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 867952 (CVE-2022-39046) - <sys-libs/glibc-2.36-r5: oob heap memory read in crafted syslog'd strings
Summary: <sys-libs/glibc-2.36-r5: oob heap memory read in crafted syslog'd strings
Status: IN_PROGRESS
Alias: CVE-2022-39046
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-02 02:13 UTC by John Helmert III
Modified: 2022-12-08 01:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-02 02:13:20 UTC
CVE-2022-39046:

An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.

Patch is 52a5be0df411ef3ff45c10c7c308cb92993d15b1:

commit 52a5be0df411ef3ff45c10c7c308cb92993d15b1
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Sun Aug 28 16:52:53 2022 -0300

    syslog: Fix large messages (BZ#29536)

    The a583b6add407c17cd change did not handle large messages that
    would require a heap allocation correctly, where the message itself
    is not take in consideration.

    This patch fixes it and extend the tst-syslog to check for large
    messages as well.

    Checked on x86_64-linux-gnu.

    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2022-12-05 23:46:44 UTC
Fixed in our 2.36-r5, already stable.
Comment 2 Larry the Git Cow gentoo-dev 2022-12-05 23:48:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67a7c931b9e46159493205e847aa1ec3d1dc7ef0

commit 67a7c931b9e46159493205e847aa1ec3d1dc7ef0
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-12-05 23:47:58 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-12-05 23:48:36 +0000

    package.mask: Extend old glibc mask, bug 867952
    
    Bug: https://bugs.gentoo.org/867952
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2022-12-05 23:49:18 UTC
All vulnerable versions masked. No cleanup.
Comment 4 Eddie Chapman 2022-12-06 17:44:26 UTC
My understanding is this bug was introduced in 2.36, fixed in 2.37 and the fix backported to 2.36. 2.35 and lower are unaffected. Or am I missing something?
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:26:58 UTC
(In reply to Eddie Chapman from comment #4)
> My understanding is this bug was introduced in 2.36, fixed in 2.37 and the
> fix backported to 2.36. 2.35 and lower are unaffected. Or am I missing
> something?

That seems right (but I'm not really familiar with glibc, just gleaned this from poking around in git a bit)