Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831212 (CVE-2021-3999, CVE-2022-23218, CVE-2022-23219) - <sys-libs/glibc-{2.33-r9, 2.34-r7}: Multiple vulnerabilities
Summary: <sys-libs/glibc-{2.33-r9, 2.34-r7}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-3999, CVE-2022-23218, CVE-2022-23219
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 833811
Blocks: CVE-2021-3998
  Show dependency tree
 
Reported: 2022-01-14 22:14 UTC by Sam James
Modified: 2022-08-14 14:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-14 22:14:38 UTC
CVE-2022-23218 (https://sourceware.org/bugzilla/show_bug.cgi?id=28768):

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

CVE-2022-23219 (https://sourceware.org/bugzilla/show_bug.cgi?id=22542):

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-18 12:31:58 UTC
+  CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd
+  function may result in an off-by-one buffer underflow and overflow
+  when the current working directory is longer than PATH_MAX and also
+  corresponds to the / directory through an unprivileged mount
+  namespace.
+
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2022-01-18 21:17:25 UTC
> CVE-2022-23218 (https://sourceware.org/bugzilla/show_bug.cgi?id=28768):
> 
> The deprecated compatibility function svcunix_create in the sunrpc module of
> the GNU C Library (aka glibc) through 2.34 copies its path argument on the
> stack without validating its length, which may result in a buffer overflow,
> potentially resulting in a denial of service or (if an application is not
> built with a stack protector enabled) arbitrary code execution.

Fixed in gentoo/2.33 branch, will be in patchset 7


> CVE-2022-23219 (https://sourceware.org/bugzilla/show_bug.cgi?id=22542):
> 
> The deprecated compatibility function clnt_create in the sunrpc module of
> the GNU C Library (aka glibc) through 2.34 copies its hostname argument on
> the stack without validating its length, which may result in a buffer
> overflow, potentially resulting in a denial of service or (if an application
> is not built with a stack protector enabled) arbitrary code execution.

Fixed in gentoo/2.33 branch, will be in patchset 7


> +  CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd
> +  function may result in an off-by-one buffer underflow and overflow
> +  when the current working directory is longer than PATH_MAX and also
> +  corresponds to the / directory through an unprivileged mount
> +  namespace.
> +

https://sourceware.org/bugzilla/show_bug.cgi?id=28769 
No fix yet
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-24 16:13:23 UTC
(In reply to Andreas K. Hüttel from comment #2)
> > CVE-2022-23218 (https://sourceware.org/bugzilla/show_bug.cgi?id=28768):
> > 
> > The deprecated compatibility function svcunix_create in the sunrpc module of
> > the GNU C Library (aka glibc) through 2.34 copies its path argument on the
> > stack without validating its length, which may result in a buffer overflow,
> > potentially resulting in a denial of service or (if an application is not
> > built with a stack protector enabled) arbitrary code execution.
> 
> Fixed in gentoo/2.33 branch, will be in patchset 7
> 
> 
> > CVE-2022-23219 (https://sourceware.org/bugzilla/show_bug.cgi?id=22542):
> > 
> > The deprecated compatibility function clnt_create in the sunrpc module of
> > the GNU C Library (aka glibc) through 2.34 copies its hostname argument on
> > the stack without validating its length, which may result in a buffer
> > overflow, potentially resulting in a denial of service or (if an application
> > is not built with a stack protector enabled) arbitrary code execution.
> 
> Fixed in gentoo/2.33 branch, will be in patchset 7
> 
> 
> > +  CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd
> > +  function may result in an off-by-one buffer underflow and overflow
> > +  when the current working directory is longer than PATH_MAX and also
> > +  corresponds to the / directory through an unprivileged mount
> > +  namespace.
> > +
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=28769 
> No fix yet

Fixed in 2.33 branch upstream now (all now fixed upstream for 2.33 + 2.34).
Comment 4 Larry the Git Cow gentoo-dev 2022-01-25 13:13:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32cacd85af01e3a00b5fbe4d121c70db56f3e4be

commit 32cacd85af01e3a00b5fbe4d121c70db56f3e4be
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2022-01-25 13:11:59 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2022-01-25 13:13:06 +0000

    sys-libs/glibc: 2.33 patchlevel 7 bump
    
    Includes fixes for CVE-2021-3998, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219
    
    Bug: https://bugs.gentoo.org/831212
    Bug: https://bugs.gentoo.org/831096
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 sys-libs/glibc/Manifest                                       | 1 +
 sys-libs/glibc/{glibc-2.33-r8.ebuild => glibc-2.33-r9.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2022-04-25 22:35:11 UTC
No cleanup (toolchain). All masked.

Nothing to do for toolchain here anymore.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 05:20:46 UTC
GLSA request filed
Comment 7 Larry the Git Cow gentoo-dev 2022-08-14 14:34:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=db5361e1e42ef0dfb4d6eda6648cae61bea60edf

commit db5361e1e42ef0dfb4d6eda6648cae61bea60edf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:29:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-24 ] GNU C Library: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/803437
    Bug: https://bugs.gentoo.org/807935
    Bug: https://bugs.gentoo.org/831096
    Bug: https://bugs.gentoo.org/831212
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-24.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 14:37:58 UTC
GLSA done, all done.