Accepting request 1171104 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1171104 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=290
2024-05-08 09:38:32 +00:00 · 2024-05-08 09:38:32 +00:00 · 2f8cb3ad6a
commit 2f8cb3ad6a
parent d3adb6ac11 293988be41
3 changed files with 45 additions and 0 deletions
--- a/glibc-fix-cve-2024-33599.patch
+++ b/glibc-fix-cve-2024-33599.patch
@ -0,0 +1,37 @@
+From 87801a8fd06db1d654eea3e4f7626ff476a9bdaa Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 25 Apr 2024 15:00:45 +0200
+Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup
+ cache (bug 31677)
+
+Using alloca matches what other caches do.  The request length is
+bounded by MAXKEYLEN.
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+---
+ nscd/netgroupcache.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+index 0c6e46f15c..f227dc7fa2 100644
+--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
+@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
+       = (struct indataset *) mempool_alloc (db,
+ 					    sizeof (*dataset) + req->key_len,
+ 					    1);
+-  struct indataset dataset_mem;
+   bool cacheable = true;
+   if (__glibc_unlikely (dataset == NULL))
+     {
+       cacheable = false;
+-      dataset = &dataset_mem;
+      /* The alloca is safe because nscd_run_worker verfies that
+	 key_len is not larger than MAXKEYLEN.  */
+      dataset = alloca (sizeof (*dataset) + req->key_len);
+     }
+ 
+   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
+-- 
+2.44.0
+
--- a/glibc.changes
+++ b/glibc.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Apr 29 17:42:43 UTC 2024 - Giuliano Belinassi <giuliano.belinassi@suse.com>
+
+- glibc-fix-cve-2024-33599.patch: nscd: Stack-based buffer overflow in
+  netgroup cache (CVE-2024-33599, bsc#1223423)
+
 -------------------------------------------------------------------
 Thu Apr 18 07:55:49 UTC 2024 - Andreas Schwab <schwab@suse.de>

--- a/glibc.spec
+++ b/glibc.spec
@ -314,6 +314,8 @@ Patch1003:      sigisemptyset.patch
 Patch1004:      stdbit-builtins.patch
 # PATCH-FIX-UPSTREAM iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961)
 Patch1005:      iconv-iso-2022-cn-ext.patch
+# PATCH-FIX-UPSTREAM: CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache
+Patch1006:      glibc-fix-cve-2024-33599.patch
 %endif

 ###