CVE-2022-23218 (https://sourceware.org/bugzilla/show_bug.cgi?id=28768): The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. CVE-2022-23219 (https://sourceware.org/bugzilla/show_bug.cgi?id=22542): The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
+ CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd + function may result in an off-by-one buffer underflow and overflow + when the current working directory is longer than PATH_MAX and also + corresponds to the / directory through an unprivileged mount + namespace. +
> CVE-2022-23218 (https://sourceware.org/bugzilla/show_bug.cgi?id=28768): > > The deprecated compatibility function svcunix_create in the sunrpc module of > the GNU C Library (aka glibc) through 2.34 copies its path argument on the > stack without validating its length, which may result in a buffer overflow, > potentially resulting in a denial of service or (if an application is not > built with a stack protector enabled) arbitrary code execution. Fixed in gentoo/2.33 branch, will be in patchset 7 > CVE-2022-23219 (https://sourceware.org/bugzilla/show_bug.cgi?id=22542): > > The deprecated compatibility function clnt_create in the sunrpc module of > the GNU C Library (aka glibc) through 2.34 copies its hostname argument on > the stack without validating its length, which may result in a buffer > overflow, potentially resulting in a denial of service or (if an application > is not built with a stack protector enabled) arbitrary code execution. Fixed in gentoo/2.33 branch, will be in patchset 7 > + CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd > + function may result in an off-by-one buffer underflow and overflow > + when the current working directory is longer than PATH_MAX and also > + corresponds to the / directory through an unprivileged mount > + namespace. > + https://sourceware.org/bugzilla/show_bug.cgi?id=28769 No fix yet
(In reply to Andreas K. Hüttel from comment #2) > > CVE-2022-23218 (https://sourceware.org/bugzilla/show_bug.cgi?id=28768): > > > > The deprecated compatibility function svcunix_create in the sunrpc module of > > the GNU C Library (aka glibc) through 2.34 copies its path argument on the > > stack without validating its length, which may result in a buffer overflow, > > potentially resulting in a denial of service or (if an application is not > > built with a stack protector enabled) arbitrary code execution. > > Fixed in gentoo/2.33 branch, will be in patchset 7 > > > > CVE-2022-23219 (https://sourceware.org/bugzilla/show_bug.cgi?id=22542): > > > > The deprecated compatibility function clnt_create in the sunrpc module of > > the GNU C Library (aka glibc) through 2.34 copies its hostname argument on > > the stack without validating its length, which may result in a buffer > > overflow, potentially resulting in a denial of service or (if an application > > is not built with a stack protector enabled) arbitrary code execution. > > Fixed in gentoo/2.33 branch, will be in patchset 7 > > > > + CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd > > + function may result in an off-by-one buffer underflow and overflow > > + when the current working directory is longer than PATH_MAX and also > > + corresponds to the / directory through an unprivileged mount > > + namespace. > > + > > https://sourceware.org/bugzilla/show_bug.cgi?id=28769 > No fix yet Fixed in 2.33 branch upstream now (all now fixed upstream for 2.33 + 2.34).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32cacd85af01e3a00b5fbe4d121c70db56f3e4be commit 32cacd85af01e3a00b5fbe4d121c70db56f3e4be Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2022-01-25 13:11:59 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2022-01-25 13:13:06 +0000 sys-libs/glibc: 2.33 patchlevel 7 bump Includes fixes for CVE-2021-3998, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219 Bug: https://bugs.gentoo.org/831212 Bug: https://bugs.gentoo.org/831096 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/Manifest | 1 + sys-libs/glibc/{glibc-2.33-r8.ebuild => glibc-2.33-r9.ebuild} | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-)
No cleanup (toolchain). All masked. Nothing to do for toolchain here anymore.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=db5361e1e42ef0dfb4d6eda6648cae61bea60edf commit db5361e1e42ef0dfb4d6eda6648cae61bea60edf Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 14:29:01 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 14:33:57 +0000 [ GLSA 202208-24 ] GNU C Library: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803437 Bug: https://bugs.gentoo.org/807935 Bug: https://bugs.gentoo.org/831096 Bug: https://bugs.gentoo.org/831212 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-24.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+)
GLSA done, all done.