[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#969926: glibc: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

* Aurelien Jarno:

> On 2021-06-04 20:34, Florian Weimer wrote:
>> * Moritz Mühlenhoff:
>> 
>> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno:
>> >> control: forcemerge 967938 969926
>> >> 
>> >> Hi,
>> >> 
>> >> On 2020-09-09 02:58, Bernd Zeimetz wrote:
>> >> > Source: glibc
>> >> > Version: 2.28-10
>> >> > Severity: serious
>> >> > Tags: security upstream patch
>> >> > X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
>> >> > 
>> >> > Hi,
>> >> > 
>> >> > we are running into the bug
>> >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338
>> >> > causing systemd-sysusers to segfault.
>> >> > 
>> >> > Patch is available in the linked bug report.
>> >> 
>> >> This has already been reported, Florian will work on a backport, as it
>> >> is not straightforward to backport it to buster due to the usage of
>> >> private symbols.
>> >
>> > Florian, did you manage to backport this to 2.31? It would be nice to get this
>> > fixed for a Buster point release still.
>> 
>> Do you mean 2.28?  DJ Delorie did the backport, and Carlos O'Donell
>> implemented the GLIBC_PRIVATE ABI compatibility fix.  I'll see if I
>> can get the patches to apply to Debian's 2.28 tree.
>
> Is it possible to commit those patches to the upstream 2.28 branch? If
> so, I guess we can simply pull the branch in the Debian package, fixing
> many other security bugs at the same time.

I'm concerned about the GLIBC_PRIVATE internal ABI change, it causes
issues if the update is applied without a reboot:

  glibc: After upgrade, before reboot, systemd services using USER= do
  not start (caused by fix for bug 1871397)
  <https://bugzilla.redhat.com/show_bug.cgi?id=1927040>

I guess we can use Carlos' patch for upstream as well.

However, I would also have to backport it to 2.28, 2.29, 2.30, 2.31,
so that we have bug fix monotonicity.  2.31 is probably doable, which
should help bullseye.  It's mostly a psychological thing for me, I'm
very busy with getting patches into glibc 2.34 at work, and downstream
Debian work would be at least slightly different.
Reply to: