Bug#1062006: bullseye-pu: package glibc/2.31-13+deb11u8
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: glibc@packages.debian.org
Control: affects -1 + src:glibc
[ Reason ]
A memory corruption was discovered in the glibc's qsort()
function, due to missing bounds check and when called by a program
with a non-transitive comparison function and a large number of
attacker-controlled elements. As the use of qsort() with a
non-transitive comparison function is undefined according to POSIX and
ISO C standards, this is not considered a vulnerability in the glibc
itself (hence no CVE number has been assigned).
However as misbehaving callers seems to be relatively common, it is
still a security issue and the qsort() function needs to be hardened
against them.
[ Impact ]
Installations will be left vulnerable to the qsort() security issue.
[ Tests ]
There is no specific test added for that change, however there are a few
upstream tests checking qsort().
[ Risks ]
The code change is very simple, and has been reviewed as part of
DSA-561-11. In addition a similar change went upstream a few weeks ago:
https://sourceware.org/git/?p=glibc.git;a=commit;h=e4d8117b82065dc72e8df80097360e7c05a349b9
https://sourceware.org/git/?p=glibc.git;a=commit;h=b9390ba93676c4b1e87e218af5e7e4bb596312ac
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The change basically just add a bounds check to a test. This is what got
uploaded in 2.36-9+deb12u4 for bookworm-security and 2.37-15 for
unstable.
[ Other info ]
Given the limited changes, I have already uploaded the package to the
archive. Thanks for considering.
diff -Nru glibc-2.31/debian/changelog glibc-2.31/debian/changelog
--- glibc-2.31/debian/changelog 2023-10-02 22:22:57.000000000 +0200
+++ glibc-2.31/debian/changelog 2024-01-28 23:58:14.000000000 +0100
@@ -1,3 +1,10 @@
+glibc (2.31-13+deb11u8) bullseye; urgency=medium
+
+ * debian/patches/any/local-qsort-memory-corruption.patch: Fix a memory
+ corruption in qsort() when using nontransitive comparison functions.
+
+ -- Aurelien Jarno <aurel32@debian.org> Sun, 28 Jan 2024 23:58:14 +0100
+
glibc (2.31-13+deb11u7) bullseye-security; urgency=medium
* debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the
diff -Nru glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch
--- glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch 1970-01-01 01:00:00.000000000 +0100
+++ glibc-2.31/debian/patches/any/local-qsort-memory-corruption.patch 2024-01-28 23:58:14.000000000 +0100
@@ -0,0 +1,13 @@
+diff -rup a/stdlib/qsort.c b/stdlib/qsort.c
+--- a/stdlib/qsort.c 2023-07-31 10:54:16.000000000 -0700
++++ b/stdlib/qsort.c 2024-01-15 09:08:25.596167959 -0800
+@@ -224,7 +224,8 @@ _quicksort (void *const pbase, size_t to
+ while ((run_ptr += size) <= end_ptr)
+ {
+ tmp_ptr = run_ptr - size;
+- while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0)
++ while (tmp_ptr != base_ptr
++ && (*cmp) ((void *) run_ptr, (void *) tmp_ptr, arg) < 0)
+ tmp_ptr -= size;
+
+ tmp_ptr += size;
diff -Nru glibc-2.31/debian/patches/series glibc-2.31/debian/patches/series
--- glibc-2.31/debian/patches/series 2023-10-02 22:18:17.000000000 +0200
+++ glibc-2.31/debian/patches/series 2024-01-28 23:58:14.000000000 +0100
@@ -170,3 +170,4 @@
any/git-ld.so-cache-endianness-markup.diff
any/local-CVE-2021-33574-mq_notify-use-after-free.diff
any/local-CVE-2023-4911.patch
+any/local-qsort-memory-corruption.patch
Reply to: