Bug 13848

Summary:	[CVE 21] glibc 2.33 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	critical
Priority:	Highest	CC:	a.proklov, e.kosachev, pastordidi, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2023-4527, CVE-2023-4813, CVE-2023-5156,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:
Attachments:	CVE-2023-4527

Description Yury 2023-10-18 20:25:46 MSK

Please patch CVEs for package glibc version 2.33
  
INFO (CVEs are): glibc 2.33
 cves found
CVE-2023-4527
Desc: A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-4527
Severity: MEDIUM
CVE-2023-4813
Desc: A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-4813
Severity: MEDIUM
CVE-2023-5156
Desc: A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-5156
Severity: HIGH

Comment 1 Vladimir Potapov 2023-10-20 12:54:09 MSK

*** Bug 13716 has been marked as a duplicate of this bug. ***

Comment 2 Aleksandr Proklov 2023-10-27 06:29:08 MSK

Created attachment 5971 [details]
CVE-2023-4527

Comment 3 Aleksandr Proklov 2023-10-27 07:32:42 MSK

CVE-2023-4527 не могу закрыть, с патчем не собирается (патч приложил в баг)
Ссылки на сборки с ошибками:
https://abf.io/build_lists/4766914
https://abf.io/build_lists/4766915

CVE-2023-4813 - закрыто патчем

CVE-2023-5156 к нашей версии 2.33 неприменимо, нет такого кода.

https://abf.io/build_lists/4766922
https://abf.io/build_lists/4766923
https://abf.io/build_lists/4766924
https://abf.io/build_lists/4766925

Comment 5 Aleksandr Proklov 2023-10-27 07:33:37 MSK

glibc	2.33-8

Comment 6 Vladimir Potapov 2023-10-27 08:03:04 MSK

Посмотрел на https://pkgs.org/download/glibc, версия 2.33 только у слаки.
Но вот зачем такую взяли?

Comment 7 Aleksandr Proklov 2023-10-27 11:11:04 MSK

на моменты выхода платформы 2.34 не было ни у кого, ты же сам смотрел и говорил!

Comment 8 Aleksandr Proklov 2023-10-27 14:38:22 MSK

glibc	2.33-8

https://abf.io/build_lists/4766923
https://abf.io/build_lists/4766924
https://abf.io/build_lists/4766998 (х64)

Comment 9 Vladimir Potapov 2023-10-27 14:46:12 MSK

(In reply to Aleksandr from comment #7)
> на моменты выхода платформы 2.34 не было ни у кого, ты же сам смотрел и
> говорил!
ну я всегда против того, чтоб брали уникальные версии для необновляемых мажорно пакетов.

Comment 10 Dmitry Postnikov 2023-10-31 10:58:59 MSK

Так будем обновлять до 2.33-8 или нет?

Comment 11 Dmitry Postnikov 2023-11-01 13:55:05 MSK

(In reply to Aleksandr Proklov from comment #8)
> glibc	2.33-8
> 
> https://abf.io/build_lists/4766923
> https://abf.io/build_lists/4766924
> https://abf.io/build_lists/4766998 (х64)

*****************************
Обновление отослано в Тестинг

Comment 12 Yury 2023-11-07 10:53:12 MSK

secteam_verified

Comment 13 Vladimir Potapov 2023-11-07 17:06:30 MSK

Запуск скриптлета: glibc-6:2.33-8.i686                                                                                                                                                 1/56 
Error: Missing /usr/lib/gconv/gconv-modules.cache file.

Comment 14 Vladimir Potapov 2023-11-08 12:21:33 MSK

glibc-2.33-8
https://abf.io/build_lists/4766923
https://abf.io/build_lists/4766924
https://abf.io/build_lists/4766998 (х64)
*********************** Advisory **************************
CVE-2023-4813 fix
***********************************************************
QA Verified