Bug 32796

Summary: Heap-based buffer overflow in the glibc's syslog(), CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
Product: Mageia Reporter: Marc Krämer <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: High CC: fri, mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://security-tracker.debian.org/tracker/DSA-5611-1 https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8a
Whiteboard: MGA9-64-OK MGA9-32-OK
Source RPM: glibc-2.36-51.mga9.src.rpm CVE: CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
Status comment:

Description Marc Krämer 2024-01-31 14:11:58 CET 
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt

Exploit code:
(exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null)



German news article about this:

https://www.heise.de/news/Linux-Sicherheitsluecke-in-glibc-bringt-Angreifern-Root-Privilegien-9614333.html?wt_mc=rss.red.ho.ho.atom.beitrag.beitrag
Marc Krämer 2024-01-31 14:12:20 CET

CVE: (none) => CVE-2023-6246, CVE-2023-6779, CVE-2023-6780

Comment 2 Lewis Smith 2024-01-31 21:15:36 CET 
Thank you for notifying this, and giving all the references.
Assigning to BaseSystem.

CC: (none) => nicolas.salguero
Assignee: bugsquad => basesystem
Priority: Normal => High
Summary: Heap-based buffer overflow in the glibc's syslog() => Heap-based buffer overflow in the glibc's syslog(), CVE-2023-6246, CVE-2023-6779, CVE-2023-6780

Comment 3 Nicolas Salguero 2024-02-01 10:35:27 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. (CVE-2023-6246)

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. (CVE-2023-6779)

An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. (CVE-2023-6780)

References:
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
https://security-tracker.debian.org/tracker/DSA-5611-1
https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8a
========================

Updated packages in core/updates_testing:
========================
glibc-2.36-52.mga9
glibc-devel-2.36-52.mga9
glibc-doc-2.36-52.mga9
glibc-i18ndata-2.36-52.mga9
glibc-profile-2.36-52.mga9
glibc-static-devel-2.36-52.mga9
glibc-utils-2.36-52.mga9
nscd-2.36-52.mga9

from SRPM:
glibc-2.36-52.mga9.src.rpm

Source RPM: glibc => glibc-2.36-51.mga9.src.rpm
Status: NEW => ASSIGNED
Assignee: basesystem => qa-bugs

PC LX 2024-02-01 10:57:55 CET

CC: (none) => mageia

Marja Van Waes 2024-02-01 15:14:43 CET

URL: (none) => https://security-tracker.debian.org/tracker/DSA-5611-1 https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8a
CC: (none) => marja11

Marja Van Waes 2024-02-01 15:17:39 CET

Keywords: (none) => advisory

Comment 4 katnatek 2024-02-02 03:13:54 CET 
After update, if I run the code in the comment#0
The terminal closes after show the message asking for password 
This is the desired effect?
Comment 5 Marc Krämer 2024-02-02 09:15:52 CET 
yes. without the patch a segmentation fault was raised
Comment 6 Morgan Leijström 2024-02-02 16:11:32 CET 
mga9-64 OK

__Testing the code in Comment 0 in Konsole:

Before update: crash

Updating what my system "svarten" have installed of glibc, to
 glibc-6:2.36-52.mga9.x86_64
 glibc-devel-6:2.36-52.mga9.x86_64

Now Konsole closed when executing that code, right after displaying "password"

---

Given glibc is so fundamental, test on i586 too would be good.

CC: (none) => fri
Whiteboard: (none) => MGA9-64-OK

Comment 7 katnatek 2024-02-02 21:08:35 CET 
Tested on real hardware mageia 9 i586

Updated without issues
Works as in my other test

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK

katnatek 2024-02-02 21:25:11 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-02-04 03:51:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0026.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED