[PATCH] glibc: Fix CVE-2021-27645

[PATCH] glibc: Fix CVE-2021-27645

[Jamaluddin, Khairul Rohaizzat]

From: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>

CVE:
CVE-2021-27645

Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
---
 .../glibc/glibc/CVE-2021-27645.patch          | 51 +++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.33.bb         |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-27645.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
new file mode 100644
index 0000000000..26c5c0d2a9
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
@@ -0,0 +1,51 @@
+From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00 2001
+From: DJ Delorie <dj@redhat.com>
+Date: Thu, 25 Feb 2021 16:08:21 -0500
+Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462]
+
+In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
+was fixed, but this led to an occasional double-free.  This patch
+tracks the "live" allocation better.
+
+Tested manually by a third party.
+
+Related: RHBZ 1927877
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673]
+
+CVE: CVE-2021-27645
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ nscd/netgroupcache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+index dba6ceec1b..ad2daddafd 100644
+--- a/nscd/netgroupcache.c
++++ b/nscd/netgroupcache.c
+@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+ 					     : NULL);
+ 				    ndomain = (ndomain ? newbuf + ndomaindiff
+ 					       : NULL);
+-				    buffer = newbuf;
++				    *tofreep = buffer = newbuf;
+ 				  }
+ 
+ 				nhost = memcpy (buffer + bufused,
+@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+ 		    else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
+ 		      {
+ 			buflen *= 2;
+-			buffer = xrealloc (buffer, buflen);
++			*tofreep = buffer = xrealloc (buffer, buflen);
+ 		      }
+ 		    else if (status == NSS_STATUS_RETURN
+ 			     || status == NSS_STATUS_NOTFOUND
+-- 
+2.27.0
+
diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb
index c47826a51e..d0a290822b 100644
--- a/meta/recipes-core/glibc/glibc_2.33.bb
+++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -45,6 +45,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
            file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch \
            file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \
+           file://CVE-2021-27645.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
-- 
2.29.0

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Khem Raj]

On Thu, Mar 11, 2021 at 7:21 AM Jamaluddin, Khairul Rohaizzat
<khairul.rohaizzat.jamaluddin@intel.com> wrote:
>
> From: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
>
> CVE:
> CVE-2021-27645
>

lgtm. Do we need it for dunfell and gatesgarth as well ?

> Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
> ---
>  .../glibc/glibc/CVE-2021-27645.patch          | 51 +++++++++++++++++++
>  meta/recipes-core/glibc/glibc_2.33.bb         |  1 +
>  2 files changed, 52 insertions(+)
>  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> new file mode 100644
> index 0000000000..26c5c0d2a9
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> @@ -0,0 +1,51 @@
> +From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00 2001
> +From: DJ Delorie <dj@redhat.com>
> +Date: Thu, 25 Feb 2021 16:08:21 -0500
> +Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462]
> +
> +In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
> +was fixed, but this led to an occasional double-free.  This patch
> +tracks the "live" allocation better.
> +
> +Tested manually by a third party.
> +
> +Related: RHBZ 1927877
> +
> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> +
> +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673]
> +
> +CVE: CVE-2021-27645
> +
> +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
> +---
> + nscd/netgroupcache.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
> +index dba6ceec1b..ad2daddafd 100644
> +--- a/nscd/netgroupcache.c
> ++++ b/nscd/netgroupcache.c
> +@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> +                                            : NULL);
> +                                   ndomain = (ndomain ? newbuf + ndomaindiff
> +                                              : NULL);
> +-                                  buffer = newbuf;
> ++                                  *tofreep = buffer = newbuf;
> +                                 }
> +
> +                               nhost = memcpy (buffer + bufused,
> +@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> +                   else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
> +                     {
> +                       buflen *= 2;
> +-                      buffer = xrealloc (buffer, buflen);
> ++                      *tofreep = buffer = xrealloc (buffer, buflen);
> +                     }
> +                   else if (status == NSS_STATUS_RETURN
> +                            || status == NSS_STATUS_NOTFOUND
> +--
> +2.27.0
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb
> index c47826a51e..d0a290822b 100644
> --- a/meta/recipes-core/glibc/glibc_2.33.bb
> +++ b/meta/recipes-core/glibc/glibc_2.33.bb
> @@ -45,6 +45,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
>             file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
>             file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch \
>             file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \
> +           file://CVE-2021-27645.patch \
>             "
>  S = "${WORKDIR}/git"
>  B = "${WORKDIR}/build-${TARGET_SYS}"
> --
> 2.29.0
>
>
> 
>

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Jamaluddin, Khairul Rohaizzat]

Yes, seems to be in the list as well..
The version for both branch is within the versions mentioned in the CVE too.


Thank you & Kind regards,
Khairul

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Khem Raj
Sent: Friday, March 12, 2021 7:56 AM
To: Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamaluddin@intel.com>
Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

On Thu, Mar 11, 2021 at 7:21 AM Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamaluddin@intel.com> wrote:
>
> From: Khairul Rohaizzat Jamaluddin 
> <khairul.rohaizzat.jamaluddin@intel.com>
>
> CVE:
> CVE-2021-27645
>

lgtm. Do we need it for dunfell and gatesgarth as well ?

> Signed-off-by: Khairul Rohaizzat Jamaluddin 
> <khairul.rohaizzat.jamaluddin@intel.com>
> ---
>  .../glibc/glibc/CVE-2021-27645.patch          | 51 +++++++++++++++++++
>  meta/recipes-core/glibc/glibc_2.33.bb         |  1 +
>  2 files changed, 52 insertions(+)
>  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch 
> b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> new file mode 100644
> index 0000000000..26c5c0d2a9
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> @@ -0,0 +1,51 @@
> +From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00 
> +2001
> +From: DJ Delorie <dj@redhat.com>
> +Date: Thu, 25 Feb 2021 16:08:21 -0500
> +Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462]
> +
> +In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free 
> +was fixed, but this led to an occasional double-free.  This patch 
> +tracks the "live" allocation better.
> +
> +Tested manually by a third party.
> +
> +Related: RHBZ 1927877
> +
> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> +
> +Upstream-Status: Backport 
> +[https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd79
> +66e15f0ca42ee5cff686673]
> +
> +CVE: CVE-2021-27645
> +
> +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> +Signed-off-by: Khairul Rohaizzat Jamaluddin 
> +<khairul.rohaizzat.jamaluddin@intel.com>
> +---
> + nscd/netgroupcache.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 
> +dba6ceec1b..ad2daddafd 100644
> +--- a/nscd/netgroupcache.c
> ++++ b/nscd/netgroupcache.c
> +@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> +                                            : NULL);
> +                                   ndomain = (ndomain ? newbuf + ndomaindiff
> +                                              : NULL);
> +-                                  buffer = newbuf;
> ++                                  *tofreep = buffer = newbuf;
> +                                 }
> +
> +                               nhost = memcpy (buffer + bufused, @@ 
> +-319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> +                   else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
> +                     {
> +                       buflen *= 2;
> +-                      buffer = xrealloc (buffer, buflen);
> ++                      *tofreep = buffer = xrealloc (buffer, buflen);
> +                     }
> +                   else if (status == NSS_STATUS_RETURN
> +                            || status == NSS_STATUS_NOTFOUND
> +--
> +2.27.0
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.33.bb 
> b/meta/recipes-core/glibc/glibc_2.33.bb
> index c47826a51e..d0a290822b 100644
> --- a/meta/recipes-core/glibc/glibc_2.33.bb
> +++ b/meta/recipes-core/glibc/glibc_2.33.bb
> @@ -45,6 +45,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
>             file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
>             file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch \
>             
> file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \
> +           file://CVE-2021-27645.patch \
>             "
>  S = "${WORKDIR}/git"
>  B = "${WORKDIR}/build-${TARGET_SYS}"
> --
> 2.29.0
>
>
> 
>

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Jamaluddin, Khairul Rohaizzat]

Just did some checking for versions glibc-2.31 and glibc-2.32 (used in dunfell and gatesgarth respectively), both of these versions cannot use this patch as these versions doesn't have the file involved, netgroupcache.c


Thank you & Kind regards,
Khairul

-----Original Message-----
From: Jamaluddin, Khairul Rohaizzat 
Sent: Saturday, March 13, 2021 3:34 AM
To: Khem Raj <raj.khem@gmail.com>
Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>
Subject: RE: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

Yes, seems to be in the list as well..
The version for both branch is within the versions mentioned in the CVE too.


Thank you & Kind regards,
Khairul

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Khem Raj
Sent: Friday, March 12, 2021 7:56 AM
To: Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamaluddin@intel.com>
Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

On Thu, Mar 11, 2021 at 7:21 AM Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamaluddin@intel.com> wrote:
>
> From: Khairul Rohaizzat Jamaluddin
> <khairul.rohaizzat.jamaluddin@intel.com>
>
> CVE:
> CVE-2021-27645
>

lgtm. Do we need it for dunfell and gatesgarth as well ?

> Signed-off-by: Khairul Rohaizzat Jamaluddin 
> <khairul.rohaizzat.jamaluddin@intel.com>
> ---
>  .../glibc/glibc/CVE-2021-27645.patch          | 51 +++++++++++++++++++
>  meta/recipes-core/glibc/glibc_2.33.bb         |  1 +
>  2 files changed, 52 insertions(+)
>  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> new file mode 100644
> index 0000000000..26c5c0d2a9
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> @@ -0,0 +1,51 @@
> +From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00
> +2001
> +From: DJ Delorie <dj@redhat.com>
> +Date: Thu, 25 Feb 2021 16:08:21 -0500
> +Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462]
> +
> +In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free 
> +was fixed, but this led to an occasional double-free.  This patch 
> +tracks the "live" allocation better.
> +
> +Tested manually by a third party.
> +
> +Related: RHBZ 1927877
> +
> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> +
> +Upstream-Status: Backport
> +[https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd79
> +66e15f0ca42ee5cff686673]
> +
> +CVE: CVE-2021-27645
> +
> +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> +Signed-off-by: Khairul Rohaizzat Jamaluddin 
> +<khairul.rohaizzat.jamaluddin@intel.com>
> +---
> + nscd/netgroupcache.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 
> +dba6ceec1b..ad2daddafd 100644
> +--- a/nscd/netgroupcache.c
> ++++ b/nscd/netgroupcache.c
> +@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> +                                            : NULL);
> +                                   ndomain = (ndomain ? newbuf + ndomaindiff
> +                                              : NULL);
> +-                                  buffer = newbuf;
> ++                                  *tofreep = buffer = newbuf;
> +                                 }
> +
> +                               nhost = memcpy (buffer + bufused, @@
> +-319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> +                   else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
> +                     {
> +                       buflen *= 2;
> +-                      buffer = xrealloc (buffer, buflen);
> ++                      *tofreep = buffer = xrealloc (buffer, buflen);
> +                     }
> +                   else if (status == NSS_STATUS_RETURN
> +                            || status == NSS_STATUS_NOTFOUND
> +--
> +2.27.0
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.33.bb
> b/meta/recipes-core/glibc/glibc_2.33.bb
> index c47826a51e..d0a290822b 100644
> --- a/meta/recipes-core/glibc/glibc_2.33.bb
> +++ b/meta/recipes-core/glibc/glibc_2.33.bb
> @@ -45,6 +45,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
>             file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
>             
> file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch 
> \
>             
> file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \
> +           file://CVE-2021-27645.patch \
>             "
>  S = "${WORKDIR}/git"
>  B = "${WORKDIR}/build-${TARGET_SYS}"
> --
> 2.29.0
>
>
> 
>

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Anatol Belski]

Hi,

looking at the state of the upstream glibc 2.31, pulling the latest
upstream might be more suitable than cherry-picking patches. Depending
on the recipe maintainers opinion, it might be a good time time to do
so as some other CVE issues are fixed there, too.

Thanks

Anatol

On Fri, 2021-03-12 at 23:15 +0000, Jamaluddin, Khairul Rohaizzat wrote:
> Just did some checking for versions glibc-2.31 and glibc-2.32 (used
> in dunfell and gatesgarth respectively), both of these versions
> cannot use this patch as these versions doesn't have the file
> involved, netgroupcache.c
> 
> 
> Thank you & Kind regards,
> Khairul
> 
> -----Original Message-----
> From: Jamaluddin, Khairul Rohaizzat 
> Sent: Saturday, March 13, 2021 3:34 AM
> To: Khem Raj <raj.khem@gmail.com>
> Cc: Patches and discussions about the oe-core layer
> <openembedded-core@lists.openembedded.org>
> Subject: RE: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
> 
> Yes, seems to be in the list as well..
> The version for both branch is within the versions mentioned in the
> CVE too.
> 
> 
> Thank you & Kind regards,
> Khairul
> 
> -----Original Message-----
> From:
> openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org
> > On Behalf Of Khem Raj
> Sent: Friday, March 12, 2021 7:56 AM
> To: Jamaluddin, Khairul Rohaizzat
> <khairul.rohaizzat.jamaluddin@intel.com>
> Cc: Patches and discussions about the oe-core layer
> <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
> 
> On Thu, Mar 11, 2021 at 7:21 AM Jamaluddin, Khairul Rohaizzat
> <khairul.rohaizzat.jamaluddin@intel.com> wrote:
> > 
> > From: Khairul Rohaizzat Jamaluddin
> > <khairul.rohaizzat.jamaluddin@intel.com>
> > 
> > CVE:
> > CVE-2021-27645
> > 
> 
> lgtm. Do we need it for dunfell and gatesgarth as well ?
> 
> > Signed-off-by: Khairul Rohaizzat Jamaluddin 
> > <khairul.rohaizzat.jamaluddin@intel.com>
> > ---
> >  .../glibc/glibc/CVE-2021-27645.patch          | 51
> > +++++++++++++++++++
> >  meta/recipes-core/glibc/glibc_2.33.bb         |  1 +
> >  2 files changed, 52 insertions(+)
> >  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-
> > 27645.patch
> > 
> > diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > new file mode 100644
> > index 0000000000..26c5c0d2a9
> > --- /dev/null
> > +++ b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > @@ -0,0 +1,51 @@
> > +From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00
> > +2001
> > +From: DJ Delorie <dj@redhat.com>
> > +Date: Thu, 25 Feb 2021 16:08:21 -0500
> > +Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ
> > #27462]
> > +
> > +In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-
> > free 
> > +was fixed, but this led to an occasional double-free.  This patch 
> > +tracks the "live" allocation better.
> > +
> > +Tested manually by a third party.
> > +
> > +Related: RHBZ 1927877
> > +
> > +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> > +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> > +
> > +Upstream-Status: Backport
> > +[https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd79
> > +66e15f0ca42ee5cff686673]
> > +
> > +CVE: CVE-2021-27645
> > +
> > +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> > +Signed-off-by: Khairul Rohaizzat Jamaluddin 
> > +<khairul.rohaizzat.jamaluddin@intel.com>
> > +---
> > + nscd/netgroupcache.c | 4 ++--
> > + 1 file changed, 2 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 
> > +dba6ceec1b..ad2daddafd 100644
> > +--- a/nscd/netgroupcache.c
> > ++++ b/nscd/netgroupcache.c
> > +@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int
> > fd, request_header *req,
> > +                                            : NULL);
> > +                                   ndomain = (ndomain ? newbuf +
> > ndomaindiff
> > +                                              : NULL);
> > +-                                  buffer = newbuf;
> > ++                                  *tofreep = buffer = newbuf;
> > +                                 }
> > +
> > +                               nhost = memcpy (buffer + bufused,
> > @@
> > +-319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
> > request_header *req,
> > +                   else if (status == NSS_STATUS_TRYAGAIN && e ==
> > ERANGE)
> > +                     {
> > +                       buflen *= 2;
> > +-                      buffer = xrealloc (buffer, buflen);
> > ++                      *tofreep = buffer = xrealloc (buffer,
> > buflen);
> > +                     }
> > +                   else if (status == NSS_STATUS_RETURN
> > +                            || status == NSS_STATUS_NOTFOUND
> > +--
> > +2.27.0
> > +
> > diff --git a/meta/recipes-core/glibc/glibc_2.33.bb
> > b/meta/recipes-core/glibc/glibc_2.33.bb
> > index c47826a51e..d0a290822b 100644
> > --- a/meta/recipes-core/glibc/glibc_2.33.bb
> > +++ b/meta/recipes-core/glibc/glibc_2.33.bb
> > @@ -45,6 +45,7 @@ SRC_URI = 
> > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> >            
> > file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
> >             
> > file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch
> >  
> > \
> >             
> > file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \
> > +           file://CVE-2021-27645.patch \
> >             "
> >  S = "${WORKDIR}/git"
> >  B = "${WORKDIR}/build-${TARGET_SYS}"
> > --
> > 2.29.0
> > 
> > 
> > 
> > 
> 
> 
> 

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Denys Dmytriyenko]

https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FLTS_Patch_Acceptance_Policies

Stable/LTS Patch Acceptance Policies

Potentially Acceptable:
* Bug fix only version upgrades for upstreams with a good stable process

Unacceptable:
* General version upgrades


So, unless there's a bugfix-only minor release of glibc, e.g. 2.31.1, 
upgrading to 2.32 or 2.33 in stable branches is highly unlikely, as both 
2.32 and 2.33 have long lists of major changes:

https://sourceware.org/pipermail/libc-announce/2020/000029.html
https://sourceware.org/pipermail/libc-announce/2021/000030.html

-- 
Regards,
Denys Dmytriyenko <denis@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964


On Sun, Mar 14, 2021 at 12:20:00AM +0100, Anatol Belski wrote:
> Hi,
> 
> looking at the state of the upstream glibc 2.31, pulling the latest
> upstream might be more suitable than cherry-picking patches. Depending
> on the recipe maintainers opinion, it might be a good time time to do
> so as some other CVE issues are fixed there, too.
> 
> Thanks
> 
> Anatol
> 
> On Fri, 2021-03-12 at 23:15 +0000, Jamaluddin, Khairul Rohaizzat wrote:
> > Just did some checking for versions glibc-2.31 and glibc-2.32 (used
> > in dunfell and gatesgarth respectively), both of these versions
> > cannot use this patch as these versions doesn't have the file
> > involved, netgroupcache.c
> > 
> > 
> > Thank you & Kind regards,
> > Khairul
> > 
> > -----Original Message-----
> > From: Jamaluddin, Khairul Rohaizzat 
> > Sent: Saturday, March 13, 2021 3:34 AM
> > To: Khem Raj <raj.khem@gmail.com>
> > Cc: Patches and discussions about the oe-core layer
> > <openembedded-core@lists.openembedded.org>
> > Subject: RE: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
> > 
> > Yes, seems to be in the list as well..
> > The version for both branch is within the versions mentioned in the
> > CVE too.
> > 
> > 
> > Thank you & Kind regards,
> > Khairul
> > 
> > -----Original Message-----
> > From:
> > openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org
> > > On Behalf Of Khem Raj
> > Sent: Friday, March 12, 2021 7:56 AM
> > To: Jamaluddin, Khairul Rohaizzat
> > <khairul.rohaizzat.jamaluddin@intel.com>
> > Cc: Patches and discussions about the oe-core layer
> > <openembedded-core@lists.openembedded.org>
> > Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
> > 
> > On Thu, Mar 11, 2021 at 7:21 AM Jamaluddin, Khairul Rohaizzat
> > <khairul.rohaizzat.jamaluddin@intel.com> wrote:
> > > 
> > > From: Khairul Rohaizzat Jamaluddin
> > > <khairul.rohaizzat.jamaluddin@intel.com>
> > > 
> > > CVE:
> > > CVE-2021-27645
> > > 
> > 
> > lgtm. Do we need it for dunfell and gatesgarth as well ?
> > 
> > > Signed-off-by: Khairul Rohaizzat Jamaluddin 
> > > <khairul.rohaizzat.jamaluddin@intel.com>
> > > ---
> > >  .../glibc/glibc/CVE-2021-27645.patch          | 51
> > > +++++++++++++++++++
> > >  meta/recipes-core/glibc/glibc_2.33.bb         |  1 +
> > >  2 files changed, 52 insertions(+)
> > >  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-
> > > 27645.patch
> > > 
> > > diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > > b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > > new file mode 100644
> > > index 0000000000..26c5c0d2a9
> > > --- /dev/null
> > > +++ b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > > @@ -0,0 +1,51 @@
> > > +From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00
> > > +2001
> > > +From: DJ Delorie <dj@redhat.com>
> > > +Date: Thu, 25 Feb 2021 16:08:21 -0500
> > > +Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ
> > > #27462]
> > > +
> > > +In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-
> > > free 
> > > +was fixed, but this led to an occasional double-free.  This patch 
> > > +tracks the "live" allocation better.
> > > +
> > > +Tested manually by a third party.
> > > +
> > > +Related: RHBZ 1927877
> > > +
> > > +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> > > +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> > > +
> > > +Upstream-Status: Backport
> > > +[https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd79
> > > +66e15f0ca42ee5cff686673]
> > > +
> > > +CVE: CVE-2021-27645
> > > +
> > > +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> > > +Signed-off-by: Khairul Rohaizzat Jamaluddin 
> > > +<khairul.rohaizzat.jamaluddin@intel.com>
> > > +---
> > > + nscd/netgroupcache.c | 4 ++--
> > > + 1 file changed, 2 insertions(+), 2 deletions(-)
> > > +
> > > +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 
> > > +dba6ceec1b..ad2daddafd 100644
> > > +--- a/nscd/netgroupcache.c
> > > ++++ b/nscd/netgroupcache.c
> > > +@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int
> > > fd, request_header *req,
> > > +                                            : NULL);
> > > +                                   ndomain = (ndomain ? newbuf +
> > > ndomaindiff
> > > +                                              : NULL);
> > > +-                                  buffer = newbuf;
> > > ++                                  *tofreep = buffer = newbuf;
> > > +                                 }
> > > +
> > > +                               nhost = memcpy (buffer + bufused,
> > > @@
> > > +-319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
> > > request_header *req,
> > > +                   else if (status == NSS_STATUS_TRYAGAIN && e ==
> > > ERANGE)
> > > +                     {
> > > +                       buflen *= 2;
> > > +-                      buffer = xrealloc (buffer, buflen);
> > > ++                      *tofreep = buffer = xrealloc (buffer,
> > > buflen);
> > > +                     }
> > > +                   else if (status == NSS_STATUS_RETURN
> > > +                            || status == NSS_STATUS_NOTFOUND
> > > +--
> > > +2.27.0
> > > +
> > > diff --git a/meta/recipes-core/glibc/glibc_2.33.bb
> > > b/meta/recipes-core/glibc/glibc_2.33.bb
> > > index c47826a51e..d0a290822b 100644
> > > --- a/meta/recipes-core/glibc/glibc_2.33.bb
> > > +++ b/meta/recipes-core/glibc/glibc_2.33.bb
> > > @@ -45,6 +45,7 @@ SRC_URI = 
> > > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> > >            
> > > file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
> > >             
> > > file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch
> > >  
> > > \
> > >             
> > > file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \
> > > +           file://CVE-2021-27645.patch \
> > >             "
> > >  S = "${WORKDIR}/git"
> > >  B = "${WORKDIR}/build-${TARGET_SYS}"
> > > --
> > > 2.29.0
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > 

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Anatol Belski]

Hi,

On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
> https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FLTS_Patch_Acceptance_Policies
>
> Stable/LTS Patch Acceptance Policies
>
> Potentially Acceptable:
> * Bug fix only version upgrades for upstreams with a good stable process
>
> Unacceptable:
> * General version upgrades
>
>
> So, unless there's a bugfix-only minor release of glibc, e.g. 2.31.1,
> upgrading to 2.32 or 2.33 in stable branches is highly unlikely, as both
> 2.32 and 2.33 have long lists of major changes:
>
> https://sourceware.org/pipermail/libc-announce/2020/000029.html
> https://sourceware.org/pipermail/libc-announce/2021/000030.html

thanks for linking the LTS doc.

My suggestion was to pull the latest upstream from 2.31 actually, not 
upgrading the glibc version. As per

http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-core/glibc/glibc-version.inc?h=dunfell

we consume from the branch release/2.31/master. It already contains the 
backported patch fixing this CVE.

There doesn't seem to be a release process in terms of versions, but it 
regularly receives backports. In fact,

there are already some bug and CVE fixes between the current SRCREV used 
and HEAD.

Regards

Anatol

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Steve Sakoman]

On Tue, Mar 16, 2021 at 2:56 AM Anatol Belski
<anbelski@linux.microsoft.com> wrote:
>
> Hi,
>
> On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
> > https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FLTS_Patch_Acceptance_Policies
> >
> > Stable/LTS Patch Acceptance Policies
> >
> > Potentially Acceptable:
> > * Bug fix only version upgrades for upstreams with a good stable process
> >
> > Unacceptable:
> > * General version upgrades
> >
> >
> > So, unless there's a bugfix-only minor release of glibc, e.g. 2.31.1,
> > upgrading to 2.32 or 2.33 in stable branches is highly unlikely, as both
> > 2.32 and 2.33 have long lists of major changes:
> >
> > https://sourceware.org/pipermail/libc-announce/2020/000029.html
> > https://sourceware.org/pipermail/libc-announce/2021/000030.html
>
> thanks for linking the LTS doc.
>
> My suggestion was to pull the latest upstream from 2.31 actually, not
> upgrading the glibc version. As per
>
> http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-core/glibc/glibc-version.inc?h=dunfell
>
> we consume from the branch release/2.31/master. It already contains the
> backported patch fixing this CVE.
>
> There doesn't seem to be a release process in terms of versions, but it
> regularly receives backports. In fact,
>
> there are already some bug and CVE fixes between the current SRCREV used
> and HEAD.

I'd be happy to take such a patch for dunfell.

I'll add it to my to do list to look into this, but if someone has the
time/inclination to tackle this it might get done sooner :-)

Since there is no versioning from upstream it will be important in
this patch to make sure that we whitelist all of the CVE's that are
fixed with the bump in SRCREV.

Steve

> Regards
>
> Anatol
>
>
>
> 
>

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Anatol Belski]

Hi,

On 3/16/2021 4:45 PM, Steve Sakoman wrote:
> On Tue, Mar 16, 2021 at 2:56 AM Anatol Belski
> <anbelski@linux.microsoft.com> wrote:
>> Hi,
>>
>> On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
>>> https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FLTS_Patch_Acceptance_Policies
>>>
>>> Stable/LTS Patch Acceptance Policies
>>>
>>> Potentially Acceptable:
>>> * Bug fix only version upgrades for upstreams with a good stable process
>>>
>>> Unacceptable:
>>> * General version upgrades
>>>
>>>
>>> So, unless there's a bugfix-only minor release of glibc, e.g. 2.31.1,
>>> upgrading to 2.32 or 2.33 in stable branches is highly unlikely, as both
>>> 2.32 and 2.33 have long lists of major changes:
>>>
>>> https://sourceware.org/pipermail/libc-announce/2020/000029.html
>>> https://sourceware.org/pipermail/libc-announce/2021/000030.html
>> thanks for linking the LTS doc.
>>
>> My suggestion was to pull the latest upstream from 2.31 actually, not
>> upgrading the glibc version. As per
>>
>> http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-core/glibc/glibc-version.inc?h=dunfell
>>
>> we consume from the branch release/2.31/master. It already contains the
>> backported patch fixing this CVE.
>>
>> There doesn't seem to be a release process in terms of versions, but it
>> regularly receives backports. In fact,
>>
>> there are already some bug and CVE fixes between the current SRCREV used
>> and HEAD.
> I'd be happy to take such a patch for dunfell.
>
> I'll add it to my to do list to look into this, but if someone has the
> time/inclination to tackle this it might get done sooner :-)
>
> Since there is no versioning from upstream it will be important in
> this patch to make sure that we whitelist all of the CVE's that are
> fixed with the bump in SRCREV.
>
I'd be able to do a run on this closer to the end of this week, if no 
one beats me to it (perhaps Khairul, the initial patch contributor ;)).

Regards

Anatol

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Jamaluddin, Khairul Rohaizzat]

Hi,

Please do correct me if I'm wrong, is the final verdict for glibc on dunfell is to whitelist all the CVEs that were applied before the commit used in SRCREV?
I'm not really sure what needs to be done here..


Thank you & Kind regards,
Khairul

-----Original Message-----
From: Anatol Belski <anbelski@linux.microsoft.com> 
Sent: Wednesday, March 17, 2021 4:24 AM
To: Steve Sakoman <steve@sakoman.com>
Cc: Denys Dmytriyenko <denis@denix.org>; Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamaluddin@intel.com>; Khem Raj <raj.khem@gmail.com>; Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

Hi,

On 3/16/2021 4:45 PM, Steve Sakoman wrote:
> On Tue, Mar 16, 2021 at 2:56 AM Anatol Belski 
> <anbelski@linux.microsoft.com> wrote:
>> Hi,
>>
>> On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
>>> https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FL
>>> TS_Patch_Acceptance_Policies
>>>
>>> Stable/LTS Patch Acceptance Policies
>>>
>>> Potentially Acceptable:
>>> * Bug fix only version upgrades for upstreams with a good stable 
>>> process
>>>
>>> Unacceptable:
>>> * General version upgrades
>>>
>>>
>>> So, unless there's a bugfix-only minor release of glibc, e.g. 
>>> 2.31.1, upgrading to 2.32 or 2.33 in stable branches is highly 
>>> unlikely, as both
>>> 2.32 and 2.33 have long lists of major changes:
>>>
>>> https://sourceware.org/pipermail/libc-announce/2020/000029.html
>>> https://sourceware.org/pipermail/libc-announce/2021/000030.html
>> thanks for linking the LTS doc.
>>
>> My suggestion was to pull the latest upstream from 2.31 actually, not 
>> upgrading the glibc version. As per
>>
>> http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-cor
>> e/glibc/glibc-version.inc?h=dunfell
>>
>> we consume from the branch release/2.31/master. It already contains 
>> the backported patch fixing this CVE.
>>
>> There doesn't seem to be a release process in terms of versions, but 
>> it regularly receives backports. In fact,
>>
>> there are already some bug and CVE fixes between the current SRCREV 
>> used and HEAD.
> I'd be happy to take such a patch for dunfell.
>
> I'll add it to my to do list to look into this, but if someone has the 
> time/inclination to tackle this it might get done sooner :-)
>
> Since there is no versioning from upstream it will be important in 
> this patch to make sure that we whitelist all of the CVE's that are 
> fixed with the bump in SRCREV.
>
I'd be able to do a run on this closer to the end of this week, if no one beats me to it (perhaps Khairul, the initial patch contributor ;)).

Regards

Anatol

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Khem Raj]

yes please submit a minor SRCREV bump and see how it goes.

On 3/18/21 11:31 AM, Jamaluddin, Khairul Rohaizzat wrote:
> Hi,
> 
> Please do correct me if I'm wrong, is the final verdict for glibc on dunfell is to whitelist all the CVEs that were applied before the commit used in SRCREV?
> I'm not really sure what needs to be done here..
> 
> 
> Thank you & Kind regards,
> Khairul
> 
> -----Original Message-----
> From: Anatol Belski <anbelski@linux.microsoft.com>
> Sent: Wednesday, March 17, 2021 4:24 AM
> To: Steve Sakoman <steve@sakoman.com>
> Cc: Denys Dmytriyenko <denis@denix.org>; Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamaluddin@intel.com>; Khem Raj <raj.khem@gmail.com>; Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
> 
> Hi,
> 
> On 3/16/2021 4:45 PM, Steve Sakoman wrote:
>> On Tue, Mar 16, 2021 at 2:56 AM Anatol Belski
>> <anbelski@linux.microsoft.com> wrote:
>>> Hi,
>>>
>>> On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
>>>> https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FL
>>>> TS_Patch_Acceptance_Policies
>>>>
>>>> Stable/LTS Patch Acceptance Policies
>>>>
>>>> Potentially Acceptable:
>>>> * Bug fix only version upgrades for upstreams with a good stable
>>>> process
>>>>
>>>> Unacceptable:
>>>> * General version upgrades
>>>>
>>>>
>>>> So, unless there's a bugfix-only minor release of glibc, e.g.
>>>> 2.31.1, upgrading to 2.32 or 2.33 in stable branches is highly
>>>> unlikely, as both
>>>> 2.32 and 2.33 have long lists of major changes:
>>>>
>>>> https://sourceware.org/pipermail/libc-announce/2020/000029.html
>>>> https://sourceware.org/pipermail/libc-announce/2021/000030.html
>>> thanks for linking the LTS doc.
>>>
>>> My suggestion was to pull the latest upstream from 2.31 actually, not
>>> upgrading the glibc version. As per
>>>
>>> http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-cor
>>> e/glibc/glibc-version.inc?h=dunfell
>>>
>>> we consume from the branch release/2.31/master. It already contains
>>> the backported patch fixing this CVE.
>>>
>>> There doesn't seem to be a release process in terms of versions, but
>>> it regularly receives backports. In fact,
>>>
>>> there are already some bug and CVE fixes between the current SRCREV
>>> used and HEAD.
>> I'd be happy to take such a patch for dunfell.
>>
>> I'll add it to my to do list to look into this, but if someone has the
>> time/inclination to tackle this it might get done sooner :-)
>>
>> Since there is no versioning from upstream it will be important in
>> this patch to make sure that we whitelist all of the CVE's that are
>> fixed with the bump in SRCREV.
>>
> I'd be able to do a run on this closer to the end of this week, if no one beats me to it (perhaps Khairul, the initial patch contributor ;)).
> 
> Regards
> 
> Anatol
> 

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Steve Sakoman]

On Thu, Mar 18, 2021 at 8:31 AM Jamaluddin, Khairul Rohaizzat
<khairul.rohaizzat.jamaluddin@intel.com> wrote:
>
> Hi,
>
> Please do correct me if I'm wrong, is the final verdict for glibc on dunfell is to whitelist all the CVEs that were applied before the commit used in SRCREV?
> I'm not really sure what needs to be done here..

My guess is:

1. Bump SRCREV to current head of the 2.31.1 branch
2. Remove patches from the recipe that are already included in the new head
3. See what breaks and fix it ;-)
4. Identify any new CVE's that are fixed as a result of moving to the
new head and add them to the whitelist.

It's unfortunate that we need to deal with keeping the whitelist
accurate, but since upstream doesn't do version bumps there is no way
for the cve checker to know that these fixes are included.

Steve

>
>
> Thank you & Kind regards,
> Khairul
>
> -----Original Message-----
> From: Anatol Belski <anbelski@linux.microsoft.com>
> Sent: Wednesday, March 17, 2021 4:24 AM
> To: Steve Sakoman <steve@sakoman.com>
> Cc: Denys Dmytriyenko <denis@denix.org>; Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamaluddin@intel.com>; Khem Raj <raj.khem@gmail.com>; Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
>
> Hi,
>
> On 3/16/2021 4:45 PM, Steve Sakoman wrote:
> > On Tue, Mar 16, 2021 at 2:56 AM Anatol Belski
> > <anbelski@linux.microsoft.com> wrote:
> >> Hi,
> >>
> >> On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
> >>> https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FL
> >>> TS_Patch_Acceptance_Policies
> >>>
> >>> Stable/LTS Patch Acceptance Policies
> >>>
> >>> Potentially Acceptable:
> >>> * Bug fix only version upgrades for upstreams with a good stable
> >>> process
> >>>
> >>> Unacceptable:
> >>> * General version upgrades
> >>>
> >>>
> >>> So, unless there's a bugfix-only minor release of glibc, e.g.
> >>> 2.31.1, upgrading to 2.32 or 2.33 in stable branches is highly
> >>> unlikely, as both
> >>> 2.32 and 2.33 have long lists of major changes:
> >>>
> >>> https://sourceware.org/pipermail/libc-announce/2020/000029.html
> >>> https://sourceware.org/pipermail/libc-announce/2021/000030.html
> >> thanks for linking the LTS doc.
> >>
> >> My suggestion was to pull the latest upstream from 2.31 actually, not
> >> upgrading the glibc version. As per
> >>
> >> http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-cor
> >> e/glibc/glibc-version.inc?h=dunfell
> >>
> >> we consume from the branch release/2.31/master. It already contains
> >> the backported patch fixing this CVE.
> >>
> >> There doesn't seem to be a release process in terms of versions, but
> >> it regularly receives backports. In fact,
> >>
> >> there are already some bug and CVE fixes between the current SRCREV
> >> used and HEAD.
> > I'd be happy to take such a patch for dunfell.
> >
> > I'll add it to my to do list to look into this, but if someone has the
> > time/inclination to tackle this it might get done sooner :-)
> >
> > Since there is no versioning from upstream it will be important in
> > this patch to make sure that we whitelist all of the CVE's that are
> > fixed with the bump in SRCREV.
> >
> I'd be able to do a run on this closer to the end of this week, if no one beats me to it (perhaps Khairul, the initial patch contributor ;)).
>
> Regards
>
> Anatol
>

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Khem Raj]

On 3/18/21 12:29 PM, Steve Sakoman wrote:
> On Thu, Mar 18, 2021 at 8:31 AM Jamaluddin, Khairul Rohaizzat
> <khairul.rohaizzat.jamaluddin@intel.com> wrote:
>>
>> Hi,
>>
>> Please do correct me if I'm wrong, is the final verdict for glibc on dunfell is to whitelist all the CVEs that were applied before the commit used in SRCREV?
>> I'm not really sure what needs to be done here..
> 
> My guess is:
> 
> 1. Bump SRCREV to current head of the 2.31.1 branch
> 2. Remove patches from the recipe that are already included in the new head
> 3. See what breaks and fix it ;-)
> 4. Identify any new CVE's that are fixed as a result of moving to the
> new head and add them to the whitelist.
> 
> It's unfortunate that we need to deal with keeping the whitelist
> accurate, but since upstream doesn't do version bumps there is no way
> for the cve checker to know that these fixes are included.

right thanks for the detailed list. this seems correct steps to me.
> 
> Steve
> 
>>
>>
>> Thank you & Kind regards,
>> Khairul
>>
>> -----Original Message-----
>> From: Anatol Belski <anbelski@linux.microsoft.com>
>> Sent: Wednesday, March 17, 2021 4:24 AM
>> To: Steve Sakoman <steve@sakoman.com>
>> Cc: Denys Dmytriyenko <denis@denix.org>; Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamaluddin@intel.com>; Khem Raj <raj.khem@gmail.com>; Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>
>> Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
>>
>> Hi,
>>
>> On 3/16/2021 4:45 PM, Steve Sakoman wrote:
>>> On Tue, Mar 16, 2021 at 2:56 AM Anatol Belski
>>> <anbelski@linux.microsoft.com> wrote:
>>>> Hi,
>>>>
>>>> On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
>>>>> https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FL
>>>>> TS_Patch_Acceptance_Policies
>>>>>
>>>>> Stable/LTS Patch Acceptance Policies
>>>>>
>>>>> Potentially Acceptable:
>>>>> * Bug fix only version upgrades for upstreams with a good stable
>>>>> process
>>>>>
>>>>> Unacceptable:
>>>>> * General version upgrades
>>>>>
>>>>>
>>>>> So, unless there's a bugfix-only minor release of glibc, e.g.
>>>>> 2.31.1, upgrading to 2.32 or 2.33 in stable branches is highly
>>>>> unlikely, as both
>>>>> 2.32 and 2.33 have long lists of major changes:
>>>>>
>>>>> https://sourceware.org/pipermail/libc-announce/2020/000029.html
>>>>> https://sourceware.org/pipermail/libc-announce/2021/000030.html
>>>> thanks for linking the LTS doc.
>>>>
>>>> My suggestion was to pull the latest upstream from 2.31 actually, not
>>>> upgrading the glibc version. As per
>>>>
>>>> http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-cor
>>>> e/glibc/glibc-version.inc?h=dunfell
>>>>
>>>> we consume from the branch release/2.31/master. It already contains
>>>> the backported patch fixing this CVE.
>>>>
>>>> There doesn't seem to be a release process in terms of versions, but
>>>> it regularly receives backports. In fact,
>>>>
>>>> there are already some bug and CVE fixes between the current SRCREV
>>>> used and HEAD.
>>> I'd be happy to take such a patch for dunfell.
>>>
>>> I'll add it to my to do list to look into this, but if someone has the
>>> time/inclination to tackle this it might get done sooner :-)
>>>
>>> Since there is no versioning from upstream it will be important in
>>> this patch to make sure that we whitelist all of the CVE's that are
>>> fixed with the bump in SRCREV.
>>>
>> I'd be able to do a run on this closer to the end of this week, if no one beats me to it (perhaps Khairul, the initial patch contributor ;)).
>>
>> Regards
>>
>> Anatol
>>

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Denys Dmytriyenko]

On Tue, Mar 16, 2021 at 01:56:43PM +0100, Anatol Belski wrote:
> Hi,
> 
> On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
> >https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FLTS_Patch_Acceptance_Policies
> >
> >Stable/LTS Patch Acceptance Policies
> >
> >Potentially Acceptable:
> >* Bug fix only version upgrades for upstreams with a good stable process
> >
> >Unacceptable:
> >* General version upgrades
> >
> >
> >So, unless there's a bugfix-only minor release of glibc, e.g. 2.31.1,
> >upgrading to 2.32 or 2.33 in stable branches is highly unlikely, as both
> >2.32 and 2.33 have long lists of major changes:
> >
> >https://sourceware.org/pipermail/libc-announce/2020/000029.html
> >https://sourceware.org/pipermail/libc-announce/2021/000030.html
> 
> thanks for linking the LTS doc.
> 
> My suggestion was to pull the latest upstream from 2.31 actually,
> not upgrading the glibc version. As per
> 
> http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-core/glibc/glibc-version.inc?h=dunfell
> 
> we consume from the branch release/2.31/master. It already contains
> the backported patch fixing this CVE.
> 
> There doesn't seem to be a release process in terms of versions, but
> it regularly receives backports. In fact,
> 
> there are already some bug and CVE fixes between the current SRCREV
> used and HEAD.

Thanks for clarifying. In this case HEAD of release/2.31/master might make 
sense.

-- 
Regards,
Denys Dmytriyenko <denis@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964

Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 1940 bytes --]

On Tue, Mar 16, 2021 at 10:44 AM Denys Dmytriyenko <denis@denix.org> wrote:

> On Tue, Mar 16, 2021 at 01:56:43PM +0100, Anatol Belski wrote:
> > Hi,
> >
> > On 3/15/2021 10:36 PM, Denys Dmytriyenko wrote:
> > >
> https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FLTS_Patch_Acceptance_Policies
> > >
> > >Stable/LTS Patch Acceptance Policies
> > >
> > >Potentially Acceptable:
> > >* Bug fix only version upgrades for upstreams with a good stable process
> > >
> > >Unacceptable:
> > >* General version upgrades
> > >
> > >
> > >So, unless there's a bugfix-only minor release of glibc, e.g. 2.31.1,
> > >upgrading to 2.32 or 2.33 in stable branches is highly unlikely, as both
> > >2.32 and 2.33 have long lists of major changes:
> > >
> > >https://sourceware.org/pipermail/libc-announce/2020/000029.html
> > >https://sourceware.org/pipermail/libc-announce/2021/000030.html
> >
> > thanks for linking the LTS doc.
> >
> > My suggestion was to pull the latest upstream from 2.31 actually,
> > not upgrading the glibc version. As per
> >
> >
> http://git.yoctoproject.org/clean/cgit.cgi/poky/tree/meta/recipes-core/glibc/glibc-version.inc?h=dunfell
> >
> > we consume from the branch release/2.31/master. It already contains
> > the backported patch fixing this CVE.
> >
> > There doesn't seem to be a release process in terms of versions, but
> > it regularly receives backports. In fact,
> >
> > there are already some bug and CVE fixes between the current SRCREV
> > used and HEAD.
>
> Thanks for clarifying. In this case HEAD of release/2.31/master might make
> sense.


This is considered a bug fix only release for 2.31 and we have done such
updates on releases in past

>
>
> --
> Regards,
> Denys Dmytriyenko <denis@denix.org>
> PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
> Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964
>

[-- Attachment #2: Type: text/html, Size: 3287 bytes --]