Debian Bug report logs - #1069191
glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 17 Apr 2024 19:03:01 UTC
Severity: grave
Tags: security, upstream
Found in versions glibc/2.36-9+deb12u4, glibc/2.36-9+deb12u5, glibc/2.31-13, glibc/2.37-17, glibc/2.31-13+deb11u8, glibc/2.37-15, glibc/2.36-9
Fixed in versions glibc/2.37-18, glibc/2.36-9+deb12u6, glibc/2.31-13+deb11u9
Done: Aurelien Jarno <aurel32@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#1069191; Package src:glibc. (Wed, 17 Apr 2024 19:03:03 GMT) (full text, mbox, link).
Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>. (Wed, 17 Apr 2024 19:03:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: glibc
Version: 2.37-17
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.37-15
Control: found -1 2.36-9+deb12u5
Control: found -1 2.36-9+deb12u4
Control: found -1 2.36-9
Control: found -1 2.31-13+deb11u8
Control: found -1 2.31-13
Hi,
The following vulnerability was published for glibc.
CVE-2024-2961[0]:
| The iconv() function in the GNU C Library versions 2.39 and older
| may overflow the output buffer passed to it by up to 4 bytes when
| converting strings to the ISO-2022-CN-EXT character set, which may
| be used to crash an application or overwrite a neighbouring
| variable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-2961
https://www.cve.org/CVERecord?id=CVE-2024-2961
[1] https://www.openwall.com/lists/oss-security/2024/04/17/9
Regards,
Salvatore
Marked as found in versions glibc/2.37-15. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 17 Apr 2024 19:03:03 GMT) (full text, mbox, link).
Marked as found in versions glibc/2.36-9+deb12u5. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 17 Apr 2024 19:03:04 GMT) (full text, mbox, link).
Marked as found in versions glibc/2.36-9+deb12u4. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 17 Apr 2024 19:03:05 GMT) (full text, mbox, link).
Marked as found in versions glibc/2.36-9. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 17 Apr 2024 19:03:05 GMT) (full text, mbox, link).
Marked as found in versions glibc/2.31-13+deb11u8. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 17 Apr 2024 19:03:06 GMT) (full text, mbox, link).
Marked as found in versions glibc/2.31-13. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 17 Apr 2024 19:03:06 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 18 Apr 2024 21:51:02 GMT) (full text, mbox, link).
Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1069191. (Fri, 19 Apr 2024 05:18:03 GMT) (full text, mbox, link).
Message #22 received at 1069191-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1069191 in glibc reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/glibc-team/glibc/-/commit/994a994014c13b43ffc4768a8969cc44045d7a67
------------------------------------------------------------------------
debian/patches/git-updates.diff: update from upstream stable branch:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix fix out-of-bound writes when writing escape sequence in iconv
ISO-2022-CN-EXT module (CVE-2024-2961). Closes: #1069191.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1069191
Added tag(s) pending. Request was from Aurelien Jarno <noreply@salsa.debian.org> to 1069191-submitter@bugs.debian.org. (Fri, 19 Apr 2024 05:18:03 GMT) (full text, mbox, link).
Reply sent to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility. (Fri, 19 Apr 2024 05:24:03 GMT) (full text, mbox, link).
Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 19 Apr 2024 05:24:03 GMT) (full text, mbox, link).
Message #29 received at 1069191-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: glibc
Source-Version: 2.37-18
Done: Aurelien Jarno <aurel32@debian.org>
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1069191@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Apr 2024 07:10:32 +0200
Source: glibc
Architecture: source
Version: 2.37-18
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1069191
Changes:
glibc (2.37-18) unstable; urgency=medium
.
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix fix out-of-bound writes when writing escape sequence in iconv
ISO-2022-CN-EXT module (CVE-2024-2961). Closes: #1069191.
Checksums-Sha1:
55a2d32004c64d219b2c24802cc30e5a7aa02729 9043 glibc_2.37-18.dsc
6e6a9646c9296dc7de9b321f2a07a432472ff27b 422556 glibc_2.37-18.debian.tar.xz
1b076043374ce74f757b97bf54b4dca9705b9a33 10084 glibc_2.37-18_source.buildinfo
Checksums-Sha256:
53fec1eca4e1c6e7ccb36a533eeb3e6b76c6ba5ecfb6ad0e66ee251ae356b638 9043 glibc_2.37-18.dsc
2d04ca854821da8d1a414d0afa20812cba5e3cfb9e10da7d824f9d8215acccad 422556 glibc_2.37-18.debian.tar.xz
c8e98dd7add508db574499a2543b7d6f425dde3bee4de28502977dac0392f0c0 10084 glibc_2.37-18_source.buildinfo
Files:
7f6b5b38d801a916027c292fedf6c6af 9043 libs required glibc_2.37-18.dsc
62a072981057354cea926396dd00c0ff 422556 libs required glibc_2.37-18.debian.tar.xz
87335394d5cf6b840689e187a8b591e7 10084 libs required glibc_2.37-18_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmYh/VUACgkQE4jA+Jno
M2s+5w//SZHS7bFkz8VPpL2HrkP1cYgMuCswNIyLtf9h3533u9V4LU/XfEIh6OGV
7WnGDMO3HGUr2RvrgN5JqYRIP0YO5XaYJtkZrr9Tgy4QshTf8KZxxML2nKYJW62h
GSEH8rPyHGjWwOgIOZ1tlMUp2Io+l15SEfMotOmDfjIoc5epwlXqdp1pgZaAlxZn
i72jTm+Bj7/BlfTjYmrl1VDKJUw6fJmN+GOhEhl1eOsLWl1QN3S+d/pwtaPbgscF
rCN18d9r1IodH8wpUmAKosgZ7hDuEIlL/+Z5f1YwcquE5+UtzVv7VfCor289Xi1i
rKSTy7Eyurfh/zvfBvl9gdgmN66Y+Ey4h8ks1HkItQS53R6QjFaFqiNOjDNF1VKv
MOvsqENoARp3fS/gcbL53mEi53pSvPWIiaiZygQ/2aonwIFEJSKC6s4QQ96OIjSs
AJVCKjVYFU1Kht5kAr5yhUEg0fdcj11jLLF5UD7ZXABx4fFU+aKffnBd4qfiNRsY
4l/3hxKv6gsxaBVEAINCXJZmuMv7xz/Ir6YcKATQdiGNgTRijxJ6teqr+uUrxgqt
k5DxrVntZwL8Xoy20gIejYwRGx4MlhSW5eYGWXyygyG8rnt6T+rR8eo+/WF0Blnq
fzImbXtNf+vHkOpgAGmk7iIuG8MJZcFIEIRn/3vrYsghAqsq56U=
=EcGb
-----END PGP SIGNATURE-----
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#1069191; Package src:glibc. (Mon, 22 Apr 2024 07:33:02 GMT) (full text, mbox, link).
Acknowledgement sent to Charlemagne Lasse <charlemagnelasse@gmail.com>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. (Mon, 22 Apr 2024 07:33:02 GMT) (full text, mbox, link).
Message #34 received at 1069191@bugs.debian.org (full text, mbox, reply):
Hi,
Can this be backported to older Debian versions via the security repo?
This bug can be used to execute code when using the PHP engine:
* https://www.offensivecon.org/speakers/2024/charles-fol.html
* https://www.openwall.com/lists/oss-security/2024/04/18/4
Reply sent to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility. (Tue, 23 Apr 2024 16:51:03 GMT) (full text, mbox, link).
Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 23 Apr 2024 16:51:03 GMT) (full text, mbox, link).
Message #39 received at 1069191-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: glibc
Source-Version: 2.36-9+deb12u6
Done: Aurelien Jarno <aurel32@debian.org>
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1069191@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Apr 2024 18:34:04 +0200
Source: glibc
Architecture: source
Version: 2.36-9+deb12u6
Distribution: bookworm-security
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1069191
Changes:
glibc (2.36-9+deb12u6) bookworm-security; urgency=medium
.
* debian/patches/any/local-CVE-2024-2961-iso-2022-cn-ext.diff: Fix
out-of-bound writes when writing escape sequence in iconv ISO-2022-CN-EXT
module (CVE-2024-2961). Closes: #1069191.
Checksums-Sha1:
89201c9a3dc4b12a21085158cc671e65ef2cd2d2 9761 glibc_2.36-9+deb12u6.dsc
ce2b34137062a0ddba922d5b34a80770737bb59c 858672 glibc_2.36-9+deb12u6.debian.tar.xz
a44d3239eba25b6c7f4ce2756457d71ae0b857ac 9744 glibc_2.36-9+deb12u6_source.buildinfo
Checksums-Sha256:
fbd6a3b34c8019bc677c1aa3c55a7cdd2fac0f5226151d408cbf107e89002c10 9761 glibc_2.36-9+deb12u6.dsc
dab8173d6a6393b50ed0737bd32ff993a3fa7bf4a837573eab8c67f1391ecb12 858672 glibc_2.36-9+deb12u6.debian.tar.xz
7ee850a9b13f43b44460b82fd59ca548b22123dd500bf942c3af4acbbb957bf6 9744 glibc_2.36-9+deb12u6_source.buildinfo
Files:
d98990edb6c22014e5b8c48aa43152c9 9761 libs required glibc_2.36-9+deb12u6.dsc
65d05b6e083f7e0d364a30fa0349efd9 858672 libs required glibc_2.36-9+deb12u6.debian.tar.xz
1cdb197b7714c8fd5c6e9ca7d19aa569 9744 libs required glibc_2.36-9+deb12u6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmYirqMACgkQE4jA+Jno
M2sPNQ/+LTclWWW5JsLlpFpI1n0eCno6yzVxuU7nW31IffIRQ/eNYPqKa2iM+Wi+
q41DfI/0KV8yLdVkGiTofVK4RnFAAwN7FIzX0NBazCNlhr3cgBOR33YS8ep0bOfN
EjXAS0PYsUwCB1Rf5ozKja6j0Lt8oWoodhRYayL29/WA8yf7oJru/Xaho0bVj68B
lP29vRFEtNeBcG+s9iR617jlnUrbyY+1qCP5CwtRH6cBTKM6RozK8hCcNiw/BSwx
S9wK+62oMNOpUJaOJLfuIygJH0nwaHzKQU+MQkQhI97ROeJJkGOhzBjAZK44CjkZ
HYsizViEUO2Qjq5stTuExD6uYeLK9lcmlhwRgQVqqyQTRKoUOssQDeiNY/SyYscH
3f/HbUJ4QYQ5mlnpYrP3i7EQ2qHbzHEy6qgnmhhnoiPBr7vFQ7/CijIzt7RF78E8
B3XWTiWFuy5SCouXtEoJHhWrE2XNU/w5Ucpe+e2R23mnu5362ECGGvT+WHU2maaD
TBdCwNYqw1oA5iy5XwF/FdlRqSEQk88vohl73EFPHl9HTyYiKcxlocQgRFRumv7x
NFPHMxk27kGm7kXJb0FtBT7XOX+XUOjbCYRiNqWMlT/mH8bFg/Ey5KXI9TKXUjHB
+fQKMYdXSn9O1waG9XFkDmz5TmrbP2+4vv9iahgXoanYnezUKCY=
=p/cK
-----END PGP SIGNATURE-----
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility. (Tue, 23 Apr 2024 16:51:05 GMT) (full text, mbox, link).
Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 23 Apr 2024 16:51:05 GMT) (full text, mbox, link).
Message #44 received at 1069191-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: glibc
Source-Version: 2.31-13+deb11u9
Done: Aurelien Jarno <aurel32@debian.org>
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1069191@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Apr 2024 22:40:26 +0200
Source: glibc
Architecture: source
Version: 2.31-13+deb11u9
Distribution: bullseye-security
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1069191
Changes:
glibc (2.31-13+deb11u9) bullseye-security; urgency=medium
.
* debian/patches/any/local-CVE-2024-2961-iso-2022-cn-ext.patch: Fix
out-of-bound writes when writing escape sequence in iconv ISO-2022-CN-EXT
module (CVE-2024-2961). Closes: #1069191.
Checksums-Sha1:
d555a20390c7fba05a2cd1f5419bf973c1e9a969 8347 glibc_2.31-13+deb11u9.dsc
60fc288d2351b8b8c2b6ad23aa1f8f65c795249c 961928 glibc_2.31-13+deb11u9.debian.tar.xz
42ef9addd34cfe89709a746373618fcea2ea8d11 9270 glibc_2.31-13+deb11u9_source.buildinfo
Checksums-Sha256:
d434d56ceee9b81ca36558abdf21fe95ce96dd0be5f296c4d1394a53aac3bdce 8347 glibc_2.31-13+deb11u9.dsc
c57f8a2e9bfbedeb110cfe35f9aa387337464ab1233de37f520a802f828a2b97 961928 glibc_2.31-13+deb11u9.debian.tar.xz
cd4f7494c0cb52b6f0d8b001cffb111b21f8d33515f43321103b41224e6b2dba 9270 glibc_2.31-13+deb11u9_source.buildinfo
Files:
1380cc777ac43126bbdd4897ee61b795 8347 libs required glibc_2.31-13+deb11u9.dsc
1d4c2a4a8ac6df5fa8aa09d321aed75b 961928 libs required glibc_2.31-13+deb11u9.debian.tar.xz
b5e0bcd9c0e7954c897758490d5647ad 9270 libs required glibc_2.31-13+deb11u9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmYi2KcACgkQE4jA+Jno
M2tKbBAAiAu+/4xAq5ZQxjpEcxESNsgZomD1Wz0z17IuvkQD1+bUYAkFu/Bkxz+k
hSA7COEzXSO8xEp2fmkRPrL711MR2USsDde0muZFHHYpcBQXgGJdRwSDnFJ9HE/l
nGgaBHJSQyi/li8lGuGLjiRECCzLZF6pw0mAggEkULwnjN0FG7kMW39EBcZAABpX
WmZacAJOozUDTYNEowx4V+lwDujMUKr6nxrtL1xUUsMnY7wcU7Kd/hOCXgcU37VO
fjYQkDw5XBLCP/sDgxjAtsv5Ep4qLcsbm23SAycv00JUygyL4/OolQWSU8vSt8Bs
Pdfdd1CaTSY+LdjrxtHXxFbKsNcjXI+2u2GNQ8m8jzvYEB4j2yX6dyE1zOugxOBo
EOZNu13+/8Tn6XFm7gsQmo4CBju9je3CpgrWAa+XGUP3KKWe+XotmqlkEJwZDn3X
XXZaGYNtb5HebmUgQhs+H56J/qpcv2Cb4CM4K7mF/e3YKzwAb53qHsisjYN+krMC
QEfdEqUl9i1ip8f2z6ME8WB+92mfCg/i3YOk5NfdBS6BQWXeDAtkALyxxWRZgIsa
4vPDc0poYFTpUj6QrqbymlSnC/iKVUydrmjrok6XhxuJUrE+vcM7EK0lfChyVP17
rm8hcN2/xVHOebJFPTC9+jWr4VQHoBFND2unKHib2xH+2lkJVFg=
=tfsn
-----END PGP SIGNATURE-----
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#1069191; Package src:glibc. (Thu, 02 May 2024 00:15:03 GMT) (full text, mbox, link).
Acknowledgement sent to Miguel Jacq <mig@mig5.net>:
Extra info received and forwarded to list. Copy sent to GNU Libc Maintainers <debian-glibc@lists.debian.org>. (Thu, 02 May 2024 00:15:03 GMT) (full text, mbox, link).
Message #49 received at 1069191@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 22 Apr 2024 09:31:39 +0200 Charlemagne Lasse <charlemagnelasse@gmail.com> wrote:
> Hi,
>
> Can this be backported to older Debian versions via the security repo?
> This bug can be used to execute code when using the PHP engine:
>
> * https://www.offensivecon.org/speakers/2024/charles-fol.html
> * https://www.openwall.com/lists/oss-security/2024/04/18/4
>
Indeed.. I know that buster is old-old stable, but starting to get nervous that it
doesn't contain the fix that Bullseye and Bookworm have. Especially as we approach
the date of a security conference that will talk about this issue.
Is anyone on the LTS team working on it for Buster? That might also help trickle
down to ELTS for Stretch/Jessie?
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jun 7 21:25:25 2024; Machine Name: bembo Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.