Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp110896lqt;
        Thu, 18 Apr 2024 09:43:12 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXqZHn9M9A/uiQ3seSqjeBDmVgY/bBzMOlqIUqBHjg4hehyJiZZKYeSCcFNYPbHjh2O0phA2UJkm2UoodRSHEAkiL+R0SMyliAHmVYUkw==
X-Google-Smtp-Source: AGHT+IGCkI41WaZUO5TEGQO451Y1a+EOsPgp4NdF+vBYASgTjQ3uZk7fY5EceoxormH2g8GhI0ZZ
X-Received: by 2002:a17:906:a148:b0:a52:5925:1f76 with SMTP id bu8-20020a170906a14800b00a5259251f76mr2059918ejb.47.1713458591856;
        Thu, 18 Apr 2024 09:43:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713458591; cv=none;
        d=google.com; s=arc-20160816;
        b=eWNlOWqTxSL8F0qka2jvE+zLfXjvE56P6mitl9UD15fWVslC4bw4LRAlP3ZfXo2b0+
         6TdcmC6DVerCSr+i/XQ8pmlrNMGaHdK1p7F8lZ3DHtNilkTIZycyFvrO0Oal8HcLJfDr
         MyXhP18qKCjFeI/wTZIZmiS8vEYiKtCbj7VyjZwcW6GqR8sMkn1+IC4HRopICrrxENcO
         ha106apT8AZFks2fSbXoEUcBRHnuKxNr6TKhYq3+Jls7FsBhtStHtJFXXxJFSkgI+3f2
         4/UhBvxpBKyal+wORvJ560OmRoto90Wg4GkYC4DNqonWvwvn/2iSQohBLT+owG5D8L/g
         Hf4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:user-agent:in-reply-to:content-disposition:mime-version
         :references:message-id:to:from:date:delivered-to:delivered-to
         :reply-to:list-id:list-subscribe:list-unsubscribe:list-help
         :list-post:precedence:mailing-list;
        bh=NSRTNGxFNOKqk50JfRAjYgczh2IyrRPOrHZ166AoRkY=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=KiWMxY5sOPxsVF/AUCeTfB+SMqcprGfaib6bPiLAVVttkWzpmT0+A9ivhSiL/IZCpA
         YjompP+D0ug6tp4RIYZQqdYe+8Yq4+k31ex1ahquyTZlRYdH6UNoSSZqYuAHAbXzI56+
         wqIGF5E84sXKz6yuWweE5c6vlcKGHtp/Bsjq+9snArgq2T41wzC+FHA9JQqtVjwxl26k
         bCJdEk69QyCah75+4IdCPcqW2OJSL4m6g6H/I6EUT8ttFPEnoozgrdOVzAfsR+tFzVyu
         rXiPvxRCMIcCBXMJUSLYAxjBDysnR0TJy5aYOIeHuRyUJiOi0w4ucZvGn25IfMgbKOz5
         g+EQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30051-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30051-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30051-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id gs6-20020a170906f18600b00a51ddd36a17si1047844ejb.282.2024.04.18.09.43.11
        for <linux.lists.archive@gmail.com>;
        Thu, 18 Apr 2024 09:43:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30051-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30051-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30051-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 13784 invoked by uid 550); 18 Apr 2024 16:42:53 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 13634 invoked from network); 18 Apr 2024 16:42:46 -0000
Date: Thu, 18 Apr 2024 18:42:42 +0200
From: Solar Designer <solar@openwall.com>
To: oss-security@lists.openwall.com
Message-ID: <20240418164242.GA2468@openwall.com>
References: <23c15272-d797-4c3c-bbfb-e462c900978f@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <23c15272-d797-4c3c-bbfb-e462c900978f@gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

On Wed, Apr 17, 2024 at 02:36:02PM -0300, Adhemerval Zanella Netto wrote:
> GLIBC-SA-2024-0004:
> ===================
> ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
> 
> The iconv() function in the GNU C Library versions 2.39 and older may
> overflow the output buffer passed to it by up to 4 bytes when converting
> strings to the ISO-2022-CN-EXT character set, which may be used to
> crash an application or overwrite a neighbouring variable.
> 
> ISO-2022-CN-EXT uses escape sequences to indicate character set changes
> (as specified by RFC 1922).  While the SOdesignation has the expected
> bounds checks, neither SS2designation nor SS3designation have its;
> allowing a write overflow of 1, 2, or 3 bytes with fixed values:
> '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
> 
> CVE-Id: CVE-2024-2961
> Public-Date: 2024-04-17
> Vulnerable-Commit: 755104edc75c53f4a0e7440334e944ad3c6b32fc (2.1.93-169)
> Fix-Commit: f9dc609e06b1136bb0408be9605ce7973a767ada (2.40)
> Fix-Commit: 31da30f23cddd36db29d5b6a1c7619361b271fb4 (2.39-31)
> Fix-Commit: e1135387deded5d73924f6ca20c72a35dc8e1bda (2.38-66)
> Fix-Commit: 89ce64b269a897a7780e4c73a7412016381c6ecf (2.37-89)
> Fix-Commit: 4ed98540a7fd19f458287e783ae59c41e64df7b5 (2.36-164)
> Fix-Commit: 36280d1ce5e245aabefb877fe4d3c6cff95dabfa (2.35-315)
> Fix-Commit: a8b0561db4b9847ebfbfec20075697d5492a363c (2.34-459)
> Fix-Commit: ed4f16ff6bed3037266f1fa682ebd32a18fce29c (2.33-263)
> Fix-Commit: 682ad4c8623e611a971839990ceef00346289cc9 (2.32-140)
> 
> Reported-By: Charles Fol

I hope Charles will share further detail with oss-security in due time,
but meanwhile his upcoming OffensiveCon talk abstract reveals a bit:

https://www.offensivecon.org/speakers/2024/charles-fol.html

> CHARLES FOL
> ICONV, SET THE CHARSET TO RCE: EXPLOITING THE GLIBC TO HACK THE PHP ENGINE
> 
> Abstract
> A few months ago, I stumbled upon a 24 years old buffer overflow in the
> glibc. Despite being reachable in multiple well-known libraries or
> programs, it proved rarely exploitable. Indeed, this was not a foos bug:
> with hard-to-achieve preconditions, it did not even provide a nice
> primitive. On PHP however, it lead to amazing results: a new
> exploitation technique that affects the whole PHP ecosystem, and the
> compromission of several applications.
> 
> This talk will first walk you through the discovery of the bug and its
> limitations, before describing the conception of several remote binary
> PHP exploits, and through them offer unique insight in the internal of
> the engine of the web language, and the difficulties one faces when
> exploiting it.
> 
> BIO
> Charles Fol, also known as cfreal, is a security researcher at LEXFO /
> AMBIONICS. He has discovered remote code execution vulnerabilities
> targeting renowned CMS and frameworks such as Drupal, Magento, Symfony
> or Laravel, but also enjoys binary exploitation, to escalate privileges
> (Apache, PHP-FPM) or compromise security solutions (DataDog's Sqreen,
> Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to
> tool to exploit PHP deserialization, and an expert in PHP internals.

The event is on May 10-11th, so in 3 weeks from now.

Alexander