Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645

["Denys Dmytriyenko" <denis@denix.org>]

https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable.2FLTS_Patch_Acceptance_Policies

Stable/LTS Patch Acceptance Policies

Potentially Acceptable:
* Bug fix only version upgrades for upstreams with a good stable process

Unacceptable:
* General version upgrades


So, unless there's a bugfix-only minor release of glibc, e.g. 2.31.1, 
upgrading to 2.32 or 2.33 in stable branches is highly unlikely, as both 
2.32 and 2.33 have long lists of major changes:

https://sourceware.org/pipermail/libc-announce/2020/000029.html
https://sourceware.org/pipermail/libc-announce/2021/000030.html

-- 
Regards,
Denys Dmytriyenko <denis@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964


On Sun, Mar 14, 2021 at 12:20:00AM +0100, Anatol Belski wrote:
> Hi,
> 
> looking at the state of the upstream glibc 2.31, pulling the latest
> upstream might be more suitable than cherry-picking patches. Depending
> on the recipe maintainers opinion, it might be a good time time to do
> so as some other CVE issues are fixed there, too.
> 
> Thanks
> 
> Anatol
> 
> On Fri, 2021-03-12 at 23:15 +0000, Jamaluddin, Khairul Rohaizzat wrote:
> > Just did some checking for versions glibc-2.31 and glibc-2.32 (used
> > in dunfell and gatesgarth respectively), both of these versions
> > cannot use this patch as these versions doesn't have the file
> > involved, netgroupcache.c
> > 
> > 
> > Thank you & Kind regards,
> > Khairul
> > 
> > -----Original Message-----
> > From: Jamaluddin, Khairul Rohaizzat 
> > Sent: Saturday, March 13, 2021 3:34 AM
> > To: Khem Raj <raj.khem@gmail.com>
> > Cc: Patches and discussions about the oe-core layer
> > <openembedded-core@lists.openembedded.org>
> > Subject: RE: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
> > 
> > Yes, seems to be in the list as well..
> > The version for both branch is within the versions mentioned in the
> > CVE too.
> > 
> > 
> > Thank you & Kind regards,
> > Khairul
> > 
> > -----Original Message-----
> > From:
> > openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org
> > > On Behalf Of Khem Raj
> > Sent: Friday, March 12, 2021 7:56 AM
> > To: Jamaluddin, Khairul Rohaizzat
> > <khairul.rohaizzat.jamaluddin@intel.com>
> > Cc: Patches and discussions about the oe-core layer
> > <openembedded-core@lists.openembedded.org>
> > Subject: Re: [OE-core] [PATCH] glibc: Fix CVE-2021-27645
> > 
> > On Thu, Mar 11, 2021 at 7:21 AM Jamaluddin, Khairul Rohaizzat
> > <khairul.rohaizzat.jamaluddin@intel.com> wrote:
> > > 
> > > From: Khairul Rohaizzat Jamaluddin
> > > <khairul.rohaizzat.jamaluddin@intel.com>
> > > 
> > > CVE:
> > > CVE-2021-27645
> > > 
> > 
> > lgtm. Do we need it for dunfell and gatesgarth as well ?
> > 
> > > Signed-off-by: Khairul Rohaizzat Jamaluddin 
> > > <khairul.rohaizzat.jamaluddin@intel.com>
> > > ---
> > >  .../glibc/glibc/CVE-2021-27645.patch          | 51
> > > +++++++++++++++++++
> > >  meta/recipes-core/glibc/glibc_2.33.bb         |  1 +
> > >  2 files changed, 52 insertions(+)
> > >  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-
> > > 27645.patch
> > > 
> > > diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > > b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > > new file mode 100644
> > > index 0000000000..26c5c0d2a9
> > > --- /dev/null
> > > +++ b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
> > > @@ -0,0 +1,51 @@
> > > +From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00
> > > +2001
> > > +From: DJ Delorie <dj@redhat.com>
> > > +Date: Thu, 25 Feb 2021 16:08:21 -0500
> > > +Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ
> > > #27462]
> > > +
> > > +In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-
> > > free 
> > > +was fixed, but this led to an occasional double-free.  This patch 
> > > +tracks the "live" allocation better.
> > > +
> > > +Tested manually by a third party.
> > > +
> > > +Related: RHBZ 1927877
> > > +
> > > +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> > > +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> > > +
> > > +Upstream-Status: Backport
> > > +[https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd79
> > > +66e15f0ca42ee5cff686673]
> > > +
> > > +CVE: CVE-2021-27645
> > > +
> > > +Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> > > +Signed-off-by: Khairul Rohaizzat Jamaluddin 
> > > +<khairul.rohaizzat.jamaluddin@intel.com>
> > > +---
> > > + nscd/netgroupcache.c | 4 ++--
> > > + 1 file changed, 2 insertions(+), 2 deletions(-)
> > > +
> > > +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index 
> > > +dba6ceec1b..ad2daddafd 100644
> > > +--- a/nscd/netgroupcache.c
> > > ++++ b/nscd/netgroupcache.c
> > > +@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int
> > > fd, request_header *req,
> > > +                                            : NULL);
> > > +                                   ndomain = (ndomain ? newbuf +
> > > ndomaindiff
> > > +                                              : NULL);
> > > +-                                  buffer = newbuf;
> > > ++                                  *tofreep = buffer = newbuf;
> > > +                                 }
> > > +
> > > +                               nhost = memcpy (buffer + bufused,
> > > @@
> > > +-319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
> > > request_header *req,
> > > +                   else if (status == NSS_STATUS_TRYAGAIN && e ==
> > > ERANGE)
> > > +                     {
> > > +                       buflen *= 2;
> > > +-                      buffer = xrealloc (buffer, buflen);
> > > ++                      *tofreep = buffer = xrealloc (buffer,
> > > buflen);
> > > +                     }
> > > +                   else if (status == NSS_STATUS_RETURN
> > > +                            || status == NSS_STATUS_NOTFOUND
> > > +--
> > > +2.27.0
> > > +
> > > diff --git a/meta/recipes-core/glibc/glibc_2.33.bb
> > > b/meta/recipes-core/glibc/glibc_2.33.bb
> > > index c47826a51e..d0a290822b 100644
> > > --- a/meta/recipes-core/glibc/glibc_2.33.bb
> > > +++ b/meta/recipes-core/glibc/glibc_2.33.bb
> > > @@ -45,6 +45,7 @@ SRC_URI = 
> > > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> > >            
> > > file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
> > >             
> > > file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch
> > >  
> > > \
> > >             
> > > file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \
> > > +           file://CVE-2021-27645.patch \
> > >             "
> > >  S = "${WORKDIR}/git"
> > >  B = "${WORKDIR}/build-${TARGET_SYS}"
> > > --
> > > 2.29.0
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> >