[PATCH] Move CVE information into advisories directory

[PATCH] Move CVE information into advisories directory

[Siddhesh Poyarekar]

One of the requirements to becoming a CVE Numbering Authority (CNA) is
to publish advisories.  Do this by maintaining a file for each CVE fixed
in the advisories directory in the source tree.  Links to the advisories
can then be shared as:

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/CVE-YYYY-NNNN

In future, backports up to glibc 2.39 should also include backport of
the relevant advisory file.

The file format at the moment is rudimentary and derives from the git
commit format, i.e. a subject line and a potentially multi-paragraph
description and then tags to describe some meta information.  This is a
loose format at the moment and could change as we evolve this.

Also add a script process-fixed-cves.sh that processes these advisories
and generates a list to add to NEWS at release time.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---

Once this has consensus, I'll generate advisory files for all CVEs up to
v2.34 on the master branch.  I'll post a separate patch for older
branches up to 2.34, since they will have a different Fixed-by and
probably shouldn't include Fixed-releases:.

 NEWS                          | 24 +++++-------------------
 advisories/CVE-2023-4527      | 12 ++++++++++++
 advisories/CVE-2023-4806      | 10 ++++++++++
 advisories/CVE-2023-4911      | 11 +++++++++++
 advisories/CVE-2023-5156      | 10 ++++++++++
 scripts/process-fixed-cves.sh | 34 ++++++++++++++++++++++++++++++++++
 6 files changed, 82 insertions(+), 19 deletions(-)
 create mode 100644 advisories/CVE-2023-4527
 create mode 100644 advisories/CVE-2023-4806
 create mode 100644 advisories/CVE-2023-4911
 create mode 100644 advisories/CVE-2023-5156
 create mode 100755 scripts/process-fixed-cves.sh

diff --git a/NEWS b/NEWS
index 4580fe381d..92c8ee08c6 100644
--- a/NEWS
+++ b/NEWS
@@ -67,25 +67,11 @@ Changes to build and runtime requirements:
 
 Security related changes:
 
-  CVE-2023-4527: If the system is configured in no-aaaa mode via
-  /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
-  family, and a DNS response is received over TCP that is larger than
-  2048 bytes, getaddrinfo may potentially disclose stack contents via
-  the returned address data, or crash.
-
-  CVE-2023-4806: When an NSS plugin only implements the
-  _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
-  memory that was freed during buffer resizing, potentially causing a
-  crash or read or write to arbitrary memory.
-
-  CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
-  an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
-  AI_ALL and AI_V4MAPPED flags set.
-
-  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
-  environment of a setuid program and NAME is valid, it may result in a
-  buffer overflow, which could be exploited to achieve escalated
-  privileges.  This flaw was introduced in glibc 2.34.
+The following CVEs were fixed in this release, details of which can be
+found in the advisories directory of the release tarball:
+
+  [The release manager will add the list generated by
+  scripts/process-fixed-cves.sh just before the release.]
 
 The following bugs are resolved with this release:
 
diff --git a/advisories/CVE-2023-4527 b/advisories/CVE-2023-4527
new file mode 100644
index 0000000000..9bb4957501
--- /dev/null
+++ b/advisories/CVE-2023-4527
@@ -0,0 +1,12 @@
+getaddrinfo: Stack read overflow in no-aaaa mode
+
+If the system is configured in no-aaaa mode via /etc/resolv.conf,
+getaddrinfo is called for the AF_UNSPEC address family, and a DNS
+response is received over TCP that is larger than 2048 bytes,
+getaddrinfo may potentially disclose stack contents via the returned
+address data, or crash.
+
+Public-date: 2023-09-12
+Vulnerable-since: f282cdbe7f436c75864e5640a409a10485e9abb2
+Fixed-by: bd77dd7e73e3530203be1c52c8a29d08270cb25d
+Fixed-releases: 2.36, 2.37, 2.38, 2.39
diff --git a/advisories/CVE-2023-4806 b/advisories/CVE-2023-4806
new file mode 100644
index 0000000000..bea41cfaba
--- /dev/null
+++ b/advisories/CVE-2023-4806
@@ -0,0 +1,10 @@
+getaddrinfo: Potential use-after-free
+
+When an NSS plugin only implements the _gethostbyname2_r and
+_getcanonname_r callbacks, getaddrinfo could use memory that was freed
+during buffer resizing, potentially causing a crash or read or write to
+arbitrary memory.
+
+Public-date: 2023-09-12
+Fixed-by: 973fe93a5675c42798b2161c6f29c01b0e243994
+Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
diff --git a/advisories/CVE-2023-4911 b/advisories/CVE-2023-4911
new file mode 100644
index 0000000000..f250c0c12e
--- /dev/null
+++ b/advisories/CVE-2023-4911
@@ -0,0 +1,11 @@
+tunables: local privilege escalation through buffer overflow
+
+If a tunable of the form NAME=NAME=VAL is passed in the environment of a
+setuid program and NAME is valid, it may result in a buffer overflow,
+which could be exploited to achieve escalated privileges.  This flaw was
+introduced in glibc 2.34.
+
+Public-date: 2023-10-03
+Vulnerable-since: 2ed18c5b534d9e92fc006202a5af0df6b72e7aca
+Fixed-by: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa
+Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
diff --git a/advisories/CVE-2023-5156 b/advisories/CVE-2023-5156
new file mode 100644
index 0000000000..5493453bec
--- /dev/null
+++ b/advisories/CVE-2023-5156
@@ -0,0 +1,10 @@
+getaddrinfo: DoS due to memory leak
+
+The fix for CVE-2023-4806 introduced a memory leak when an application
+calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED
+flags set.
+
+Public-date: 2023-09-25
+Fixed-by: ec6b95c3303c700eb89eebeda2d7264cc184a796
+Vulnerable-since: 973fe93a5675c42798b2161c6f29c01b0e243994
+Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
diff --git a/scripts/process-fixed-cves.sh b/scripts/process-fixed-cves.sh
new file mode 100755
index 0000000000..d066b8c919
--- /dev/null
+++ b/scripts/process-fixed-cves.sh
@@ -0,0 +1,34 @@
+#!/bin/bash -e
+# Copyright The GNU Toolchain Authors.
+# This file is part of the GNU C Library.
+#
+# The GNU C Library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# The GNU C Library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with the GNU C Library; if not, see
+# <https://www.gnu.org/licenses/>.
+
+git status > /dev/null 2>&1 ||
+  ( echo "error: Run this script from within the glibc git repository." &&
+  exit 1 )
+
+prevrel=$(git tag | grep "glibc-2.[0-9]\+$" |
+	  sort -n -t. -k 1,2nr -k 2,3nr | head -1)
+
+if ! [ -e advisories ]; then
+  echo "error: Previous release tag not found. This script needs to be run"
+  echo "       from the toplevel directory of the glibc repository."
+  exit 1
+fi
+
+git diff --name-only --stat ${prevrel}..HEAD -- advisories | while read f; do
+  echo "$(basename $f): $(head -1 $f)";
+done
-- 
2.41.0

Re: [PATCH] Move CVE information into advisories directory

[Florian Weimer]

* Siddhesh Poyarekar:

> One of the requirements to becoming a CVE Numbering Authority (CNA) is
> to publish advisories.  Do this by maintaining a file for each CVE fixed
> in the advisories directory in the source tree.  Links to the advisories
> can then be shared as:
>
> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/CVE-YYYY-NNNN

I think we should use our own identifiers (GLIBC-SA-2023-001 etc.)
instead of CVE IDs.  CVE IDs can change due to duplicates, typos that
lead to rejection etc., and I don't think Gitweb follows symbolic links
in the repository (and we shouldn't check them in anyway because they
are confusing).

> In future, backports up to glibc 2.39 should also include backport of
> the relevant advisory file.

Should we replace the directory with a reference to the master branch
upon branching for the release?  This way, the information is just in
one place.

> diff --git a/advisories/CVE-2023-4527 b/advisories/CVE-2023-4527
> new file mode 100644
> index 0000000000..9bb4957501
> --- /dev/null
> +++ b/advisories/CVE-2023-4527
> @@ -0,0 +1,12 @@
> +getaddrinfo: Stack read overflow in no-aaaa mode
> +
> +If the system is configured in no-aaaa mode via /etc/resolv.conf,
> +getaddrinfo is called for the AF_UNSPEC address family, and a DNS
> +response is received over TCP that is larger than 2048 bytes,
> +getaddrinfo may potentially disclose stack contents via the returned
> +address data, or crash.

Should we add a little bit more information?  An initial paragraph like
this?

   This vulnerability affects the DNS client implementation in glibc.
   This component is responsible for translating DNS host names to
   addresses and back.  The vulnerability is in the NSS part of the DNS
   client.  Applications which call the getaddrinfo function are
   potentially impacted, but the older name resolution interfaces and
   the res_* family of functions are not affected.

And then as a third paragraph:

   The no-aaaa functionality was introduced in glibc 2.36.  Previous
   versions ignore the no-aaaa option if is present in /etc/resolv.conf.

And maybe even quote a vulnerable configuration snippet?

> +Public-date: 2023-09-12
> +Vulnerable-since: f282cdbe7f436c75864e5640a409a10485e9abb2
> +Fixed-by: bd77dd7e73e3530203be1c52c8a29d08270cb25d
> +Fixed-releases: 2.36, 2.37, 2.38, 2.39

CVE IDs should be repeated in the file itself.

It would be nice to note that f282cdbe7f436c75864e5640a409a10485e9abb2
is part of the 2.36 release.

> diff --git a/advisories/CVE-2023-5156 b/advisories/CVE-2023-5156
> new file mode 100644
> index 0000000000..5493453bec
> --- /dev/null
> +++ b/advisories/CVE-2023-5156
> @@ -0,0 +1,10 @@
> +getaddrinfo: DoS due to memory leak
> +
> +The fix for CVE-2023-4806 introduced a memory leak when an application
> +calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED
> +flags set.
> +
> +Public-date: 2023-09-25
> +Fixed-by: ec6b95c3303c700eb89eebeda2d7264cc184a796
> +Vulnerable-since: 973fe93a5675c42798b2161c6f29c01b0e243994
> +Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
> diff --git a/scripts/process-fixed-cves.sh b/scripts/process-fixed-cves.sh
> new file mode 100755
> index 0000000000..d066b8c919

> +prevrel=$(git tag | grep "glibc-2.[0-9]\+$" |
> +	  sort -n -t. -k 1,2nr -k 2,3nr | head -1)

I think this is slightly more robust:

  git tag --sort=-taggerdate | grep '^glibc-2\.[0-9.]\+' | grep -v '\.9000$' 

Thanks,
Florian

Re: [PATCH] Move CVE information into advisories directory

[Siddhesh Poyarekar]

Thanks, I'll update and post a v2.

On 2023-11-08 12:32, Florian Weimer wrote:
> * Siddhesh Poyarekar:
> 
>> One of the requirements to becoming a CVE Numbering Authority (CNA) is
>> to publish advisories.  Do this by maintaining a file for each CVE fixed
>> in the advisories directory in the source tree.  Links to the advisories
>> can then be shared as:
>>
>> https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/CVE-YYYY-NNNN
> 
> I think we should use our own identifiers (GLIBC-SA-2023-001 etc.)
> instead of CVE IDs.  CVE IDs can change due to duplicates, typos that
> lead to rejection etc., and I don't think Gitweb follows symbolic links
> in the repository (and we shouldn't check them in anyway because they
> are confusing).

OK, I can add glibc-specific IDs.

>> In future, backports up to glibc 2.39 should also include backport of
>> the relevant advisory file.
> 
> Should we replace the directory with a reference to the master branch
> upon branching for the release?  This way, the information is just in
> one place.

That'll make things easy, I agree.  This could be scripted on release.

>> diff --git a/advisories/CVE-2023-4527 b/advisories/CVE-2023-4527
>> new file mode 100644
>> index 0000000000..9bb4957501
>> --- /dev/null
>> +++ b/advisories/CVE-2023-4527
>> @@ -0,0 +1,12 @@
>> +getaddrinfo: Stack read overflow in no-aaaa mode
>> +
>> +If the system is configured in no-aaaa mode via /etc/resolv.conf,
>> +getaddrinfo is called for the AF_UNSPEC address family, and a DNS
>> +response is received over TCP that is larger than 2048 bytes,
>> +getaddrinfo may potentially disclose stack contents via the returned
>> +address data, or crash.
> 
> Should we add a little bit more information?  An initial paragraph like
> this?
> 
>     This vulnerability affects the DNS client implementation in glibc.
>     This component is responsible for translating DNS host names to
>     addresses and back.  The vulnerability is in the NSS part of the DNS
>     client.  Applications which call the getaddrinfo function are
>     potentially impacted, but the older name resolution interfaces and
>     the res_* family of functions are not affected.
> 
> And then as a third paragraph:
> 
>     The no-aaaa functionality was introduced in glibc 2.36.  Previous
>     versions ignore the no-aaaa option if is present in /etc/resolv.conf.
> 
> And maybe even quote a vulnerable configuration snippet?
> 

Sure, additional information would be great, would you be able to push a 
patch with more information for CVE-2023-4527 on top of the advisory 
file once I've committed this?  I'll do the other 3.

>> +Public-date: 2023-09-12
>> +Vulnerable-since: f282cdbe7f436c75864e5640a409a10485e9abb2
>> +Fixed-by: bd77dd7e73e3530203be1c52c8a29d08270cb25d
>> +Fixed-releases: 2.36, 2.37, 2.38, 2.39
> 
> CVE IDs should be repeated in the file itself.

Ack, and it will be necessary if the advisory files are of the form 
GLIBC-SA-YYYY-NNNN.

> 
> It would be nice to note that f282cdbe7f436c75864e5640a409a10485e9abb2
> is part of the 2.36 release.

Ack, I'll add a First-Vulnerable-release.

>> diff --git a/advisories/CVE-2023-5156 b/advisories/CVE-2023-5156
>> new file mode 100644
>> index 0000000000..5493453bec
>> --- /dev/null
>> +++ b/advisories/CVE-2023-5156
>> @@ -0,0 +1,10 @@
>> +getaddrinfo: DoS due to memory leak
>> +
>> +The fix for CVE-2023-4806 introduced a memory leak when an application
>> +calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED
>> +flags set.
>> +
>> +Public-date: 2023-09-25
>> +Fixed-by: ec6b95c3303c700eb89eebeda2d7264cc184a796
>> +Vulnerable-since: 973fe93a5675c42798b2161c6f29c01b0e243994
>> +Fixed-releases: 2.34, 2.35, 2.36, 2.37, 2.38, 2.39
>> diff --git a/scripts/process-fixed-cves.sh b/scripts/process-fixed-cves.sh
>> new file mode 100755
>> index 0000000000..d066b8c919
> 
>> +prevrel=$(git tag | grep "glibc-2.[0-9]\+$" |
>> +	  sort -n -t. -k 1,2nr -k 2,3nr | head -1)
> 
> I think this is slightly more robust:
> 
>    git tag --sort=-taggerdate | grep '^glibc-2\.[0-9.]\+' | grep -v '\.9000$'

Thanks, and how about this as the format for the auto-generated NEWS clip:

GLIBC-SA-YYYY-NNNN:
   CVE-YYYY-NNNN: One line description.

Thanks,
Sid