The following security advisories have been published:
GLIBC-SA-2024-0004:
===================
ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
The iconv() function in the GNU C Library versions 2.39 and older may
overflow the output buffer passed to it by up to 4 bytes when converting
strings to the ISO-2022-CN-EXT character set, which may be used to
crash an application or overwrite a neighbouring variable.
ISO-2022-CN-EXT uses escape sequences to indicate character set changes
(as specified by RFC 1922). While the SOdesignation has the expected
bounds checks, neither SS2designation nor SS3designation have its;
allowing a write overflow of 1, 2, or 3 bytes with fixed values:
'$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
CVE-Id: CVE-2024-2961
Public-Date: 2024-04-17
Vulnerable-Commit: 755104edc75c53f4a0e7440334e944ad3c6b32fc (2.1.93-169)
Fix-Commit: f9dc609e06b1136bb0408be9605ce7973a767ada (2.40)
Fix-Commit: 31da30f23cddd36db29d5b6a1c7619361b271fb4 (2.39-31)
Fix-Commit: e1135387deded5d73924f6ca20c72a35dc8e1bda (2.38-66)
Fix-Commit: 89ce64b269a897a7780e4c73a7412016381c6ecf (2.37-89)
Fix-Commit: 4ed98540a7fd19f458287e783ae59c41e64df7b5 (2.36-164)
Fix-Commit: 36280d1ce5e245aabefb877fe4d3c6cff95dabfa (2.35-315)
Fix-Commit: a8b0561db4b9847ebfbfec20075697d5492a363c (2.34-459)
Fix-Commit: ed4f16ff6bed3037266f1fa682ebd32a18fce29c (2.33-263)
Fix-Commit: 682ad4c8623e611a971839990ceef00346289cc9 (2.32-140)
Reported-By: Charles Fol
Notes:
======
Published advisories are available directly in the project git repository:
https://sourceware.org/git/?p=glibc.git;a=tree;f=advisories;hb=HEAD
On Wed, Apr 17, 2024 at 02:36:02PM -0300, Adhemerval Zanella Netto wrote:
> GLIBC-SA-2024-0004:
> ===================
> ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
>
> The iconv() function in the GNU C Library versions 2.39 and older may
> overflow the output buffer passed to it by up to 4 bytes when converting
> strings to the ISO-2022-CN-EXT character set, which may be used to
> crash an application or overwrite a neighbouring variable.
>
> ISO-2022-CN-EXT uses escape sequences to indicate character set changes
> (as specified by RFC 1922). While the SOdesignation has the expected
> bounds checks, neither SS2designation nor SS3designation have its;
> allowing a write overflow of 1, 2, or 3 bytes with fixed values:
> '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
>
> CVE-Id: CVE-2024-2961
> Public-Date: 2024-04-17
> Vulnerable-Commit: 755104edc75c53f4a0e7440334e944ad3c6b32fc (2.1.93-169)
> Fix-Commit: f9dc609e06b1136bb0408be9605ce7973a767ada (2.40)
> Fix-Commit: 31da30f23cddd36db29d5b6a1c7619361b271fb4 (2.39-31)
> Fix-Commit: e1135387deded5d73924f6ca20c72a35dc8e1bda (2.38-66)
> Fix-Commit: 89ce64b269a897a7780e4c73a7412016381c6ecf (2.37-89)
> Fix-Commit: 4ed98540a7fd19f458287e783ae59c41e64df7b5 (2.36-164)
> Fix-Commit: 36280d1ce5e245aabefb877fe4d3c6cff95dabfa (2.35-315)
> Fix-Commit: a8b0561db4b9847ebfbfec20075697d5492a363c (2.34-459)
> Fix-Commit: ed4f16ff6bed3037266f1fa682ebd32a18fce29c (2.33-263)
> Fix-Commit: 682ad4c8623e611a971839990ceef00346289cc9 (2.32-140)
>
> Reported-By: Charles Fol
I hope Charles will share further detail with oss-security in due time,
but meanwhile his upcoming OffensiveCon talk abstract reveals a bit:
https://www.offensivecon.org/speakers/2024/charles-fol.html
> CHARLES FOL
> ICONV, SET THE CHARSET TO RCE: EXPLOITING THE GLIBC TO HACK THE PHP ENGINE
>
> Abstract
> A few months ago, I stumbled upon a 24 years old buffer overflow in the
> glibc. Despite being reachable in multiple well-known libraries or
> programs, it proved rarely exploitable. Indeed, this was not a foos bug:
> with hard-to-achieve preconditions, it did not even provide a nice
> primitive. On PHP however, it lead to amazing results: a new
> exploitation technique that affects the whole PHP ecosystem, and the
> compromission of several applications.
>
> This talk will first walk you through the discovery of the bug and its
> limitations, before describing the conception of several remote binary
> PHP exploits, and through them offer unique insight in the internal of
> the engine of the web language, and the difficulties one faces when
> exploiting it.
>
> BIO
> Charles Fol, also known as cfreal, is a security researcher at LEXFO /
> AMBIONICS. He has discovered remote code execution vulnerabilities
> targeting renowned CMS and frameworks such as Drupal, Magento, Symfony
> or Laravel, but also enjoys binary exploitation, to escalate privileges
> (Apache, PHP-FPM) or compromise security solutions (DataDog's Sqreen,
> Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to
> tool to exploit PHP deserialization, and an expert in PHP internals.
The event is on May 10-11th, so in 3 weeks from now.
Alexander
* Adhemerval Zanella Netto:
> The following security advisories have been published:
>
> GLIBC-SA-2024-0004:
> ===================
> ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
For those who haven't prepared/shipped updates yet: we've got a fix for
a stack-based buffer overflow in nscd under review.
[PATCH 0/4] Various nscd security fixes
<https://inbox.sourceware.org/libc-alpha/[email protected]/>
These are initial patches, still under review. The glibc security team
will send a separate notification once official patches are ready.
The initial issue was reported in Bugzilla without an embargo period,
hence the public patch development. The other bugs concern the same
code and are very minor compared to the initial finding, so a separate
embargo for them doesn't make sense.
Thanks,
Florian