948592 – (CVE-2025-0395) <sys-libs/glibc-2.40-r8: Buffer overflow in the GNU C Library's assert()

Bug 948592 (CVE-2025-0395) - <sys-libs/glibc-2.40-r8: Buffer overflow in the GNU C Library's assert()

Summary: <sys-libs/glibc-2.40-r8: Buffer overflow in the GNU C Library's assert()

Status:	IN_PROGRESS

Alias:	CVE-2025-0395

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	A2 [glsa? cleanup]
Keywords:

Depends on:	948633
Blocks:
	Show dependency tree

Reported:	2025-01-22 20:48 UTC by Sam James
Modified:	2025-03-09 20:46 UTC (History)
CC List:	1 user (show)

See Also:	https://sourceware.org/bugzilla/show_bug.cgi?id=32582
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2025-01-22 20:48:59 UTC

"""
Hi all,

On January 10, 2025, we contacted the GNU C Library's security team
about a buffer overflow that we discovered in assert()'s implementation
(CVE-2025-0395). Because this vulnerability seems relatively minor (for
reasons detailed below), it was decided that it could be discussed and
patched publicly, without an embargo.

Today (January 22, 2025) a Bugzilla entry and a patch proposal for this
vulnerability have been published:

  https://sourceware.org/bugzilla/show_bug.cgi?id=32582
  https://patchwork.sourceware.org/project/glibc/list/?series=43300
  https://sourceware.org/pipermail/libc-alpha/2025-January/164164.html
  https://sourceware.org/pipermail/libc-alpha/2025-January/164165.html
  https://sourceware.org/pipermail/libc-alpha/2025-January/164166.html

For more details and a proof of concept, below are the two emails that
we sent to the GNU C Library's security team. We are of course at your
disposal for questions, comments, and further discussions. Thank you
very much!

With best regards,
-- the Qualys Security Advisory team
"""

Comment 1 Sam James archtester

2025-01-23 00:07:44 UTC

commit d1644f95aaf356acf6e77124b8da1904a23bdf45
Author: Andreas K. Hüttel <dilfridge@gentoo.org>
Date:   Thu Jan 23 00:28:38 2025 +0100

    sys-libs/glibc: 2.40 patchlevel 8 bump

    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

Not yet keyworded while we test.

Comment 2 Larry the Git Cow gentoo-dev

2025-01-23 13:59:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18ec4be7c8526a0adb89279c09e2eff6da2acece

commit 18ec4be7c8526a0adb89279c09e2eff6da2acece
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2025-01-23 12:03:13 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2025-01-23 13:59:48 +0000

    sys-libs/glibc: keyword 2.40-r8
    
    Patchset changelog 2.40-7..2.40-8
    f37769b877 (HEAD -> gentoo/2.40, tag: gentoo/glibc-2.40-8, gentoo/gentoo/2.40) Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    d6df843eca Fix missing randomness in __gen_tempname (bug 32214)
    e4ef305fc4 hppa: Simplify handling of sanity check errors in clone.S.
    aea26c8570 hppa: Fix strace detach-vfork test
    098aaa8d6b x86: Avoid integer truncation with large cache sizes (bug 32470)
    4c028395a1 linux: Fix tst-syscall-restart.c on old gcc (BZ 32283)
    70258d6110 math: Exclude internal math symbols for tests [BZ #32414]
    199b0f2247 malloc: add indirection for malloc(-like) functions in tests [BZ #32366]
    2d6ede43d6 nptl: initialize cpu_id_start prior to rseq registration
    38d45c44c5 nptl: initialize rseq area prior to registration
    
    Bug: https://bugs.gentoo.org/948592
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 sys-libs/glibc/glibc-2.40-r8.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 3 Sam James archtester

2025-01-24 01:39:41 UTC

I've filed and kicked off bug 948633.