Bug 55326 – glibc: Multiple issues (5.0)

Bug 55326 - glibc: Multiple issues (5.0)


Summary:	glibc: Multiple issues (5.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 5.0-2-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-10-20 06:53 CEST by Quality Assurance
Modified:	2022-10-20 13:41 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2022-10-20 06:53:48 CEST

New Debian glibc 2.28-10+deb10u2 fixes:
This update addresses the following issues:
2.28-10+deb10u1 (Tue, 15 Mar 2022 23:48:49 +0100)
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch
: - Add more integrity check to malloc() function. - Fix crash in
_IO_wfile_sync. - Fix bad free() in libdl if dlerror() is not used.. - Fix
overflow in glibc.malloc.tcache_count tunable. - Fix old x86 applications crash
on exit() under valgrind. - Remove copy_file_range emulation. The kernel
interface has at evolved and the glibc emulation doesn't match it anymore, so
it's better for it to return -ENOSYS. This only impacts Linux kernels << 4.8. -
Avoid lazy binding of symbols that may follow a variant PCS on arm64, to
support binaries using AdvSIMD and SVE vector calls. - Fix large mmap64 offset
for the N32 ABI on mips/mipsel/mips64el. - Improve string functions
performances on arm64.
* debian/patches/any/git-libio-stdout-putc.diff: refresh.
* debian/debhelper.in/libc.preinst: simplify the version comparison by only  comparing the two first parts, now that kernel 2.X are not supported  anymore..
* debian/debhelper.in/libc.preinst: drop the check for kernel release > 255  now that glibc and preinstall script are fixed..
* iconv program can hang when invoked with the -c option (CVE-2016-10228)
* LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries (CVE-2019-19126)
* buffer over-read in iconv when processing invalid multi-byte input  sequences in the EUC-KR encoding (CVE-2019-25013)
* use-after-free in glob() function when expanding ~user (CVE-2020-1752)
* signed comparison vulnerability in the ARMv7 memcpy function  (CVE-2020-6096)
* stack corruption from crafted input in cosl, sinl, sincosl, and tanl  functions (CVE-2020-10029)
* iconv when processing invalid multi-byte input sequences fails to advance  the input state, which could result in an infinite loop (CVE-2020-27618)
* Assertion failure in ISO-2022-JP-3 gconv module related to combining  characters (CVE-2021-3326)
* Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)
* Use-after-free in addgetnetgrentX function in netgroupcache.c  (CVE-2021-27645)
* mq_notify does not handle separately allocated thread attributes  (CVE-2021-33574)
* Arbitrary read in wordexp() (CVE-2021-35942)
* Stack-based buffer overflow in svcunix_create via long pathnames  (CVE-2022-23218)
* Stack-based buffer overflow in sunrpc clnt_create via a long pathname  (CVE-2022-23219)

Comment 1 Quality Assurance

2022-10-20 07:00:16 CEST

--- mirror/ftp/pool/main/g/glibc/glibc_2.28-10+deb10u1.dsc
+++ apt/ucs_5.0-0-errata5.0-2/source/glibc_2.28-10+deb10u2.dsc
@@ -1,3 +1,21 @@
+2.28-10+deb10u2 [Sat, 08 Oct 2022 17:53:16 +0200] Helmut Grohne <helmut@subdivi.de>:
+
+  * Non-maintainer upload by LTS team.
+  * CVE-2016-10228 iconv option parsing Closes: #856503
+  * CVE-2019-19126 setuid environment filtering Closes: #945250
+  * CVE-2019-25013 oob read in iconv Closes: #979273
+  * CVE-2020-1752 use after free in glob Closes: #953788
+  * CVE-2020-6096 [arm] memcpy underflow Closes: #961452
+  * CVE-2020-10029 sinl buffer overflow Closes: #953108
+  * CVE-2020-27618 iconv infinite loop Closes: #973914
+  * CVE-2021-3326 iconv abort Closes: #981198
+  * CVE-2021-3999 oob write for getcwd size 1
+  * CVE-2021-27645 nscd double free Closes: #983479
+  * CVE-2021-33574 mq_notify use after free Closes: #989147
+  * CVE-2021-35942 wordexp input validation Closes: #990542
+  * CVE-2022-23218 svcunix_create buffer overflow
+  * CVE-2022-23219 clnt_create buffer overflow
+
 2.28-10+deb10u1 [Tue, 15 Mar 2022 23:48:49 +0100] Aurelien Jarno <aurel32@debian.org>:
 
   [ Aurelien Jarno ]

<http://piuparts.knut.univention.de/5.0-2/#2441511648471421374>

Comment 2 Philipp Hahn

2022-10-20 08:55:40 CEST

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-2] ea45314a93 Bug #55326: glibc 2.28-10+deb10u2
 doc/errata/staging/glibc.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[5.0-2] 2fdb0baa34 Bug #55326: glibc 2.28-10+deb10u2
 doc/errata/staging/glibc.yaml | 49 +++++++++++++------------------------------
 1 file changed, 15 insertions(+), 34 deletions(-)

[5.0-2] b7f900974e Bug #55326: glibc 2.28-10+deb10u2
 doc/errata/staging/glibc.yaml | 66 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

Comment 3 Philipp Hahn

2022-10-20 13:41:19 CEST

<https://errata.software-univention.de/#/?erratum=5.0x462>