From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Romain Naour <romain.naour@gmail.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/{glibc, localedef}: security bump to version glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701
Date: Thu, 5 Oct 2023 21:54:57 +0200 [thread overview]
Message-ID: <20231005195457.GA2552@scaer> (raw)
In-Reply-To: <20231005194313.1044692-1-peter@korsgaard.com>
Peter, All,
On 2023-10-05 21:43 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
>
> CVE-2023-4527: If the system is configured in no-aaaa mode via
> /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
> family, and a DNS response is received over TCP that is larger than
> 2048 bytes, getaddrinfo may potentially disclose stack contents via
> the returned address data, or crash.
>
> CVE-2023-4806: When an NSS plugin only implements the
> _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
> memory that was freed during buffer resizing, potentially causing a
> crash or read or write to arbitrary memory.
>
> CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
> an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
> AI_ALL and AI_V4MAPPED flags set.
>
> CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
> environment of a setuid program and NAME is valid, it may result in a
> buffer overflow, which could be exploited to achieve escalated
> privileges. This flaw was introduced in glibc 2.34.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/glibc/glibc.hash | 2 +-
> package/glibc/glibc.mk | 2 +-
> package/localedef/localedef.mk | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
> index 4d2e9fbbd2..00d9f1c985 100644
> --- a/package/glibc/glibc.hash
> +++ b/package/glibc/glibc.hash
> @@ -1,5 +1,5 @@
> # Locally calculated (fetched from Github)
> -sha256 06d73b1804767f83885ab03641e2a7bf8d73f0a6cf8caee4032d8d1cc2e76cce glibc-2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675.tar.gz
> +sha256 fd991e43997ff6e4994264c3cbc23fa87fa28b1b3c446eda8fc2d1d3834a2cfb glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701.tar.gz
>
> # Hashes for license files
> sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 844bed5051..0b71530310 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -7,7 +7,7 @@
> # Generate version string using:
> # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
> # When updating the version, please also update localedef
> -GLIBC_VERSION = 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675
> +GLIBC_VERSION = 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701
> # Upstream doesn't officially provide an https download link.
> # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
> # sometimes the connection times out. So use an unofficial github mirror.
> diff --git a/package/localedef/localedef.mk b/package/localedef/localedef.mk
> index 650b319a25..ed6d4b4968 100644
> --- a/package/localedef/localedef.mk
> +++ b/package/localedef/localedef.mk
> @@ -7,7 +7,7 @@
> # Use the same VERSION and SITE as target glibc
> # As in glibc.mk, generate version string using:
> # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
> -LOCALEDEF_VERSION = 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675
> +LOCALEDEF_VERSION = 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701
> LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
> LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
> HOST_LOCALEDEF_DL_SUBDIR = glibc
> --
> 2.30.2
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-10-05 19:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-05 19:43 [Buildroot] [PATCH] package/{glibc, localedef}: security bump to version glibc-2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 Peter Korsgaard
2023-10-05 19:54 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231005195457.GA2552@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=peter@korsgaard.com \
--cc=romain.naour@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox