Bug 32796 - Heap-based buffer overflow in the glibc's syslog(), CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
Summary: Heap-based buffer overflow in the glibc's syslog(), CVE-2023-6246, CVE-2023-6...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: High major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://security-tracker.debian.org/t...
Whiteboard: MGA9-64-OK MGA9-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-01-31 14:11 CET by Marc Krämer
Modified: 2024-02-04 03:51 CET (History)
5 users (show)

See Also:
Source RPM: glibc-2.36-51.mga9.src.rpm
CVE: CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
Status comment:


Attachments

Description Marc Krämer 2024-01-31 14:11:58 CET
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt

Exploit code:
(exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null)



German news article about this:

https://www.heise.de/news/Linux-Sicherheitsluecke-in-glibc-bringt-Angreifern-Root-Privilegien-9614333.html?wt_mc=rss.red.ho.ho.atom.beitrag.beitrag
Marc Krämer 2024-01-31 14:12:20 CET

CVE: (none) => CVE-2023-6246, CVE-2023-6779, CVE-2023-6780

Comment 2 Lewis Smith 2024-01-31 21:15:36 CET
Thank you for notifying this, and giving all the references.
Assigning to BaseSystem.

CC: (none) => nicolas.salguero
Assignee: bugsquad => basesystem
Priority: Normal => High
Summary: Heap-based buffer overflow in the glibc's syslog() => Heap-based buffer overflow in the glibc's syslog(), CVE-2023-6246, CVE-2023-6779, CVE-2023-6780

Comment 3 Nicolas Salguero 2024-02-01 10:35:27 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. (CVE-2023-6246)

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. (CVE-2023-6779)

An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. (CVE-2023-6780)

References:
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
https://security-tracker.debian.org/tracker/DSA-5611-1
https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8a
========================

Updated packages in core/updates_testing:
========================
glibc-2.36-52.mga9
glibc-devel-2.36-52.mga9
glibc-doc-2.36-52.mga9
glibc-i18ndata-2.36-52.mga9
glibc-profile-2.36-52.mga9
glibc-static-devel-2.36-52.mga9
glibc-utils-2.36-52.mga9
nscd-2.36-52.mga9

from SRPM:
glibc-2.36-52.mga9.src.rpm

Source RPM: glibc => glibc-2.36-51.mga9.src.rpm
Status: NEW => ASSIGNED
Assignee: basesystem => qa-bugs

PC LX 2024-02-01 10:57:55 CET

CC: (none) => mageia

Marja Van Waes 2024-02-01 15:14:43 CET

URL: (none) => https://security-tracker.debian.org/tracker/DSA-5611-1 https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8a
CC: (none) => marja11

Marja Van Waes 2024-02-01 15:17:39 CET

Keywords: (none) => advisory

Comment 4 katnatek 2024-02-02 03:13:54 CET
After update, if I run the code in the comment#0
The terminal closes after show the message asking for password 
This is the desired effect?
Comment 5 Marc Krämer 2024-02-02 09:15:52 CET
yes. without the patch a segmentation fault was raised
Comment 6 Morgan Leijström 2024-02-02 16:11:32 CET
mga9-64 OK

__Testing the code in Comment 0 in Konsole:

Before update: crash

Updating what my system "svarten" have installed of glibc, to
 glibc-6:2.36-52.mga9.x86_64
 glibc-devel-6:2.36-52.mga9.x86_64

Now Konsole closed when executing that code, right after displaying "password"

---

Given glibc is so fundamental, test on i586 too would be good.

CC: (none) => fri
Whiteboard: (none) => MGA9-64-OK

Comment 7 katnatek 2024-02-02 21:08:35 CET
Tested on real hardware mageia 9 i586

Updated without issues
Works as in my other test

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK

katnatek 2024-02-02 21:25:11 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-02-04 03:51:47 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0026.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.