[PR PATCH] glibc: backport patch to fix CVE-2023-4911

[PR PATCH] glibc: backport patch to fix CVE-2023-4911

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 419 bytes --]

There is a new pull request by Johnnynator against master on the void-packages repository

https://github.com/Johnnynator/void-packages CVE-2023-4911
https://github.com/void-linux/void-packages/pull/46415

glibc: backport patch to fix CVE-2023-4911
https://lwn.net/ml/oss-security/20231003175031.GA16924@localhost.localdomain/


A patch file from https://github.com/void-linux/void-packages/pull/46415.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-CVE-2023-4911-46415.patch --]
[-- Type: text/x-diff, Size: 19840 bytes --]

From 8699f96bc0cc98b8b7e67870802b5e6427425708 Mon Sep 17 00:00:00 2001
From: John <me@johnnynator.dev>
Date: Tue, 3 Oct 2023 22:08:47 +0200
Subject: [PATCH] glibc: backport patch to fix CVE-2023-4911

https://lwn.net/ml/oss-security/20231003175031.GA16924@localhost.localdomain/
---
 ...te-GLIBC_TUNABLES-in-setxid-binaries.patch | 417 ++++++++++++++++++
 srcpkgs/glibc/template                        |   2 +-
 2 files changed, 418 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch

diff --git a/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch b/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
new file mode 100644
index 0000000000000..fc7830356808e
--- /dev/null
+++ b/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
@@ -0,0 +1,417 @@
+From patchwork Tue Oct  3 17:08:10 2023
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Siddhesh Poyarekar <siddhesh@sourceware.org>
+X-Patchwork-Id: 77038
+Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
+X-Original-To: patchwork@sourceware.org
+Delivered-To: patchwork@sourceware.org
+Received: from server2.sourceware.org (localhost [IPv6:::1])
+	by sourceware.org (Postfix) with ESMTP id DB38C385CCA2
+	for <patchwork@sourceware.org>; Tue,  3 Oct 2023 17:08:42 +0000 (GMT)
+DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DB38C385CCA2
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
+	s=default; t=1696352922;
+	bh=2RzFRLi6L0tM80JbqKAeTTtCk5ZkWIOMJhguuLeep8Q=;
+	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
+	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
+	 From;
+	b=QRybe90jP8qt9a+5cscmdYZ3Z4fm9+3BJOo8objrqar1PzOvKmKTzG0t8+1OY0l/R
+	 LrPeV6/h5aL33rolY0Vt/9GIFLxXHNysRKHuQiJhztTUI6m7gXEUBfuLJo8aILgRxI
+	 Z0bP8m8+2WgCSy4fiT3sm8S+yefHfFtDmeFRmZF4=
+X-Original-To: libc-alpha@sourceware.org
+Delivered-To: libc-alpha@sourceware.org
+Received: from slateblue.cherry.relay.mailchannels.net
+ (slateblue.cherry.relay.mailchannels.net [23.83.223.168])
+ by sourceware.org (Postfix) with ESMTPS id 7CDB43858D28
+ for <libc-alpha@sourceware.org>; Tue,  3 Oct 2023 17:08:19 +0000 (GMT)
+DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7CDB43858D28
+Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none)
+ header.from=sourceware.org
+Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org
+X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
+Received: from relay.mailchannels.net (localhost [127.0.0.1])
+ by relay.mailchannels.net (Postfix) with ESMTP id A32776C2631;
+ Tue,  3 Oct 2023 17:08:18 +0000 (UTC)
+Received: from pdx1-sub0-mail-a208.dreamhost.com (unknown [127.0.0.6])
+ (Authenticated sender: dreamhost)
+ by relay.mailchannels.net (Postfix) with ESMTPA id 290146C1C80;
+ Tue,  3 Oct 2023 17:08:18 +0000 (UTC)
+ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696352898; a=rsa-sha256;
+ cv=none;
+ b=cDdQxKxiu03h++yel1nz5imDBScvEFM7sjYlTW6tzo/bGsXftsu9MgpgqkeR/DM68wkBCQ
+ omYRV2W2py8ydsRRnF4ks9B2agNa4b3tkb9aIVttKu6dvgtCVbCAYqJj7nC+QFEwYekAjm
+ hBpMGAgqFJ98zNE2++zO/h+06g+WEA3a3kXv2HPMOjbQAgKNiMAYGzLjiOgKMBOWalzH8k
+ PbVS7LPyDJItCIAG/B6Sp9lYgWtEkEZrd76hBz8nDOAHS3/r51ytREWy7xf0aQQp5oG3x+
+ 5Dg64UHMvrgX8K5eCrsRKRNlzVhqgz623OLZvQmcHyXbJ6PkqYyCrtULfSzQ8w==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=mailchannels.net; s=arc-2022; t=1696352898;
+ h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
+ to:to:cc:cc:mime-version:mime-version:
+ content-transfer-encoding:content-transfer-encoding:
+ in-reply-to:in-reply-to:references:references;
+ bh=2RzFRLi6L0tM80JbqKAeTTtCk5ZkWIOMJhguuLeep8Q=;
+ b=QpV56l5sKus/qz0qJOuBY1+88GFCyEl374Dkotv9aJINpanUQw9ffW06Bpt0E9JUcVvrhQ
+ tik6YsAhHlZ37iK5YtguSkDp5ikYgZWf18ACeLs9QqwgrbS1j5TcpvjlgZy4iXB59da+8w
+ zAfjU8TptFXIdSK32QAqAFG2QMyAB8tZ6IY67pDS7x7aXZo6qMEraAidfchWUZodY5Gb+R
+ SmE65TunarvWGQyrVDub08/1+WufqVkEAeIeOjXfmFNVXp++V1kT/WJN+2pp6st2qRsPUd
+ OOIxnc8XMH4KOigtHQEfynGXxNXhlt6wCz2S9N9Lcy8vUdLU41mso+kb1tTAbw==
+ARC-Authentication-Results: i=1; rspamd-7d5dc8fd68-78xqj;
+ auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org
+X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
+X-MC-Relay: Neutral
+X-MC-Copy: stored-urls
+X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
+X-MailChannels-Auth-Id: dreamhost
+X-Battle-Keen: 0b88c40b6f696b57_1696352898487_1294998186
+X-MC-Loop-Signature: 1696352898487:1412498620
+X-MC-Ingress-Time: 1696352898487
+Received: from pdx1-sub0-mail-a208.dreamhost.com (pop.dreamhost.com
+ [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
+ by 100.124.45.11 (trex/6.9.1); Tue, 03 Oct 2023 17:08:18 +0000
+Received: from fedora.redhat.com
+ (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41])
+ (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
+ key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
+ SHA256)
+ (No client certificate requested)
+ (Authenticated sender: siddhesh@gotplt.org)
+ by pdx1-sub0-mail-a208.dreamhost.com (Postfix) with ESMTPSA id 4S0PR55hzKzn8;
+ Tue,  3 Oct 2023 10:08:17 -0700 (PDT)
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+To: libc-alpha@sourceware.org
+Cc: Carlos O'Donell <carlos@redhat.com>
+Subject: [committed 1/2] Propagate GLIBC_TUNABLES in setxid binaries
+Date: Tue,  3 Oct 2023 13:08:10 -0400
+Message-ID: <20231003170811.64957-2-siddhesh@sourceware.org>
+X-Mailer: git-send-email 2.41.0
+In-Reply-To: <20231003170811.64957-1-siddhesh@sourceware.org>
+References: <20231003170811.64957-1-siddhesh@sourceware.org>
+MIME-Version: 1.0
+X-Spam-Status: No, score=-1172.6 required=5.0 tests=BAYES_00, GIT_PATCH_0,
+ KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,
+ RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL,
+ TXREP autolearn=ham autolearn_force=no version=3.4.6
+X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
+ server2.sourceware.org
+X-BeenThere: libc-alpha@sourceware.org
+X-Mailman-Version: 2.1.30
+Precedence: list
+List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
+List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
+ <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
+List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
+List-Post: <mailto:libc-alpha@sourceware.org>
+List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
+List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
+ <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
+Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
+
+GLIBC_TUNABLES scrubbing happens earlier than envvar scrubbing and some
+tunables are required to propagate past setxid boundary, like their
+env_alias.  Rely on tunable scrubbing to clean out GLIBC_TUNABLES like
+before, restoring behaviour in glibc 2.37 and earlier.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+---
+ sysdeps/generic/unsecvars.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
+index 81397fb90b..8278c50a84 100644
+--- a/sysdeps/generic/unsecvars.h
++++ b/sysdeps/generic/unsecvars.h
+@@ -1,16 +1,9 @@
+-#if !HAVE_TUNABLES
+-# define GLIBC_TUNABLES_ENVVAR "GLIBC_TUNABLES\0"
+-#else
+-# define GLIBC_TUNABLES_ENVVAR
+-#endif
+-
+ /* Environment variable to be removed for SUID programs.  The names are
+    all stuffed in a single string which means they have to be terminated
+    with a '\0' explicitly.  */
+ #define UNSECURE_ENVVARS \
+   "GCONV_PATH\0"							      \
+   "GETCONF_DIR\0"							      \
+-  GLIBC_TUNABLES_ENVVAR							      \
+   "HOSTALIASES\0"							      \
+   "LD_AUDIT\0"								      \
+   "LD_DEBUG\0"								      \
+
+From patchwork Tue Oct  3 17:08:11 2023
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Siddhesh Poyarekar <siddhesh@sourceware.org>
+X-Patchwork-Id: 77040
+Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
+X-Original-To: patchwork@sourceware.org
+Delivered-To: patchwork@sourceware.org
+Received: from server2.sourceware.org (localhost [IPv6:::1])
+	by sourceware.org (Postfix) with ESMTP id 90535385CC8E
+	for <patchwork@sourceware.org>; Tue,  3 Oct 2023 17:09:27 +0000 (GMT)
+DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 90535385CC8E
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
+	s=default; t=1696352967;
+	bh=1a0fWBPdnW+Tu1zUE/ZtlBb3zkAS8ABX2A2qqUYl2W0=;
+	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
+	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
+	 From;
+	b=p8p8AVjSvb0mchlnPPLXBSl0uiO3Ll19jk44ZZYoNT/9rfxwwP3sQrBZ96DGvgZp4
+	 hofaD3CNHD+uzWfyRTZMphCrbIzU0+8P333aw5k0mzhopX6efSYBak9XSXrFvUS7HH
+	 x+o5TNG8pF9tO14j6BBePr2bqtCu+31XO/DLjIJw=
+X-Original-To: libc-alpha@sourceware.org
+Delivered-To: libc-alpha@sourceware.org
+Received: from butterfly.birch.relay.mailchannels.net
+ (butterfly.birch.relay.mailchannels.net [23.83.209.27])
+ by sourceware.org (Postfix) with ESMTPS id 81AA83858C5E
+ for <libc-alpha@sourceware.org>; Tue,  3 Oct 2023 17:08:20 +0000 (GMT)
+DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 81AA83858C5E
+Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none)
+ header.from=sourceware.org
+Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org
+X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
+Received: from relay.mailchannels.net (localhost [127.0.0.1])
+ by relay.mailchannels.net (Postfix) with ESMTP id 0871D81B37;
+ Tue,  3 Oct 2023 17:08:19 +0000 (UTC)
+Received: from pdx1-sub0-mail-a208.dreamhost.com (unknown [127.0.0.6])
+ (Authenticated sender: dreamhost)
+ by relay.mailchannels.net (Postfix) with ESMTPA id 882CC81ABC;
+ Tue,  3 Oct 2023 17:08:18 +0000 (UTC)
+ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696352898; a=rsa-sha256;
+ cv=none;
+ b=5qfMxmUwI83hq0oagEYhS/XgeghenGvdsyyQNyzIxdd+sx0pSvj2LvtFItP5IdfEzyT0mo
+ z99sZFlNFC3QVzXqioS/dDGwPLP4cQekn81NxD+M6x6IWv8b9Y4ItKCBrHDSLA8zsQNLZh
+ fAQ3pRbUuJ+9tF1UeQNh5hrAVZL9XL4TNpw4wwxteUidysvDET7N40V2gDjNM3OJOLgnN3
+ sm08CH3vTmtyluSrZDldARABDURZWCqS3EU6aM7++rsPREkVlXXITjy3RYLNl4adR30vQf
+ KH5M6FKgN59Aj/rUqYr3/fo6WLPByT2Y1NbKGCMZt3jsx56W2PRcLp7i3S44LQ==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=mailchannels.net; s=arc-2022; t=1696352898;
+ h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
+ to:to:cc:cc:mime-version:mime-version:
+ content-transfer-encoding:content-transfer-encoding:
+ in-reply-to:in-reply-to:references:references;
+ bh=1a0fWBPdnW+Tu1zUE/ZtlBb3zkAS8ABX2A2qqUYl2W0=;
+ b=Tn8H65fgxUzepI2lrbb5auhvz4tbajJWXlsUHCOwkvZeeb9srwdum3GsKRr3JQCTyO8FqJ
+ g2HfiKLD6NjF7FdYESP0U7821Ws2xDZHXxvCpOFAfGR4Heqneim0tCAam0hZtaRPpAJXS2
+ 9d8uxJZfHZE5nmclYZWYPjT8SeekWSy1KDKDaYT12KuEqIBSCAz8dn4YJuOHOazU7ENOpX
+ MWMz4Y+ynPVJ54o75g3iSj85Bsc4yppJ9evbKP9CNtzt+7rplj0QPr2Wb/0B+Qj+l6A6OH
+ WIvjpSe2aOre5EqSL0iTXQk+j3RrfY0po6JvId2S7KeVTVblzhzmr1t1lvcJ0A==
+ARC-Authentication-Results: i=1; rspamd-7d5dc8fd68-zzz4g;
+ auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org
+X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
+X-MC-Relay: Neutral
+X-MC-Copy: stored-urls
+X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
+X-MailChannels-Auth-Id: dreamhost
+X-Shoe-Irritate: 4ee5cef551df488b_1696352898863_921716443
+X-MC-Loop-Signature: 1696352898863:2049982880
+X-MC-Ingress-Time: 1696352898863
+Received: from pdx1-sub0-mail-a208.dreamhost.com (pop.dreamhost.com
+ [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
+ by 100.109.140.241 (trex/6.9.1); Tue, 03 Oct 2023 17:08:18 +0000
+Received: from fedora.redhat.com
+ (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41])
+ (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
+ key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
+ SHA256)
+ (No client certificate requested)
+ (Authenticated sender: siddhesh@gotplt.org)
+ by pdx1-sub0-mail-a208.dreamhost.com (Postfix) with ESMTPSA id 4S0PR61KXqzM7;
+ Tue,  3 Oct 2023 10:08:18 -0700 (PDT)
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+To: libc-alpha@sourceware.org
+Cc: Carlos O'Donell <carlos@redhat.com>
+Subject: [committed 2/2] tunables: Terminate if end of input is reached
+ (CVE-2023-4911)
+Date: Tue,  3 Oct 2023 13:08:11 -0400
+Message-ID: <20231003170811.64957-3-siddhesh@sourceware.org>
+X-Mailer: git-send-email 2.41.0
+In-Reply-To: <20231003170811.64957-1-siddhesh@sourceware.org>
+References: <20231003170811.64957-1-siddhesh@sourceware.org>
+MIME-Version: 1.0
+X-Spam-Status: No, score=-1172.5 required=5.0 tests=BAYES_00, GIT_PATCH_0,
+ KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,
+ RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL,
+ TXREP autolearn=ham autolearn_force=no version=3.4.6
+X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
+ server2.sourceware.org
+X-BeenThere: libc-alpha@sourceware.org
+X-Mailman-Version: 2.1.30
+Precedence: list
+List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
+List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
+ <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
+List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
+List-Post: <mailto:libc-alpha@sourceware.org>
+List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
+List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
+ <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
+Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+
+This also fixes up tst-env-setuid-tunables to actually handle failures
+correct and add new tests to validate the fix for this CVE.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+---
+ NEWS                          |  5 +++++
+ elf/dl-tunables.c             | 17 +++++++++-------
+ elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++--------
+ 3 files changed, 44 insertions(+), 15 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index a94650da64..cc4b81f0ac 100644
+--- a/NEWS
++++ b/NEWS
+@@ -64,6 +64,11 @@ Security related changes:
+   an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+   AI_ALL and AI_V4MAPPED flags set.
+ 
++  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
++  environment of a setuid program and NAME is valid, it may result in a
++  buffer overflow, which could be exploited to achieve escalated
++  privileges.  This flaw was introduced in glibc 2.34.
++
+ The following bugs are resolved with this release:
+ 
+   [The release manager will add the list generated by
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 62b7332d95..cae67efa0a 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ 
+ /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 7dfb0e073a..f0b92c97e7 100644
+--- a/elf/tst-env-setuid-tunables.c
++++ b/elf/tst-env-setuid-tunables.c
+@@ -50,6 +50,8 @@ const char *teststrings[] =
+   "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+   "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+   "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.check=2",
+   "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+   "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+   ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -68,6 +70,8 @@ const char *resultstrings[] =
+   "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "",
+   "",
+   "",
+   "",
+@@ -88,11 +88,18 @@ test_child (int off)
+   const char *val = getenv ("GLIBC_TUNABLES");
+ 
+ #if HAVE_TUNABLES
++  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
++  fflush (stdout);
+   if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+     return 0;
+ 
+   if (val != NULL)
+-    printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
++    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
++           off, val, resultstrings[off]);
++  else
++    printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
++
++  fflush (stdout);
+ 
+   return 1;
+ #else
+@@ -106,21 +117,26 @@ do_test (int argc, char **argv)
+       if (ret != 0)
+ 	exit (1);
+ 
+-      exit (EXIT_SUCCESS);
++      /* Special return code to make sure that the child executed all the way
++	 through.  */
++      exit (42);
+     }
+   else
+     {
+-      int ret = 0;
+-
+       /* Spawn tests.  */
+       for (int i = 0; i < array_length (teststrings); i++)
+ 	{
+ 	  char buf[INT_BUFSIZE_BOUND (int)];
+ 
+-	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
++	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ 	  snprintf (buf, sizeof (buf), "%d\n", i);
++	  fflush (stdout);
+ 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+-	    exit (1);
++	    {
++	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
++	      support_record_failure ();
++	      continue;
++	    }
+ 
+ 	  int status = support_capture_subprogram_self_sgid (buf);
+ 
+@@ -128,9 +144,14 @@ do_test (int argc, char **argv)
+ 	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ 	    return EXIT_UNSUPPORTED;
+ 
+-	  ret |= status;
++	  if (WEXITSTATUS (status) != 42)
++	    {
++	      printf ("    [%d] child failed with status %d\n", i,
++		      WEXITSTATUS (status));
++	      support_record_failure ();
++	    }
+ 	}
+-      return ret;
++      return 0;
+     }
+ }
+ 
diff --git a/srcpkgs/glibc/template b/srcpkgs/glibc/template
index 452b55c127624..98de6ad7412ed 100644
--- a/srcpkgs/glibc/template
+++ b/srcpkgs/glibc/template
@@ -1,7 +1,7 @@
 # Template file for 'glibc'
 pkgname=glibc
 version=2.36
-revision=1
+revision=2
 _patchver="72-g0f90d6204d"
 bootstrap=yes
 short_desc="GNU C library"

Re: [PR REVIEW] glibc: backport patch to fix CVE-2023-4911

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 197 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/46415#discussion_r1344693151

Comment:
do we need to include all the email headers?

Re: [PR PATCH] [Updated] glibc: backport patch to fix CVE-2023-4911

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]

There is an updated pull request by Johnnynator against master on the void-packages repository

https://github.com/Johnnynator/void-packages CVE-2023-4911
https://github.com/void-linux/void-packages/pull/46415

glibc: backport patch to fix CVE-2023-4911
https://lwn.net/ml/oss-security/20231003175031.GA16924@localhost.localdomain/


A patch file from https://github.com/void-linux/void-packages/pull/46415.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-CVE-2023-4911-46415.patch --]
[-- Type: text/x-diff, Size: 8290 bytes --]

From 6b20f8066379a235cd75218a538d57fb6dce8aea Mon Sep 17 00:00:00 2001
From: John <me@johnnynator.dev>
Date: Tue, 3 Oct 2023 22:08:47 +0200
Subject: [PATCH] glibc: backport patch to fix CVE-2023-4911

https://lwn.net/ml/oss-security/20231003175031.GA16924@localhost.localdomain/
---
 ...te-GLIBC_TUNABLES-in-setxid-binaries.patch | 205 ++++++++++++++++++
 srcpkgs/glibc/template                        |   2 +-
 2 files changed, 206 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch

diff --git a/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch b/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
new file mode 100644
index 0000000000000..31e1a2048eaf4
--- /dev/null
+++ b/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
@@ -0,0 +1,205 @@
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Subject: [committed 1/2] Propagate GLIBC_TUNABLES in setxid binaries
+Date: Tue,  3 Oct 2023 13:08:10 -0400
+
+GLIBC_TUNABLES scrubbing happens earlier than envvar scrubbing and some
+tunables are required to propagate past setxid boundary, like their
+env_alias.  Rely on tunable scrubbing to clean out GLIBC_TUNABLES like
+before, restoring behaviour in glibc 2.37 and earlier.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+---
+ sysdeps/generic/unsecvars.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
+index 81397fb90b..8278c50a84 100644
+--- a/sysdeps/generic/unsecvars.h
++++ b/sysdeps/generic/unsecvars.h
+@@ -1,16 +1,9 @@
+-#if !HAVE_TUNABLES
+-# define GLIBC_TUNABLES_ENVVAR "GLIBC_TUNABLES\0"
+-#else
+-# define GLIBC_TUNABLES_ENVVAR
+-#endif
+-
+ /* Environment variable to be removed for SUID programs.  The names are
+    all stuffed in a single string which means they have to be terminated
+    with a '\0' explicitly.  */
+ #define UNSECURE_ENVVARS \
+   "GCONV_PATH\0"							      \
+   "GETCONF_DIR\0"							      \
+-  GLIBC_TUNABLES_ENVVAR							      \
+   "HOSTALIASES\0"							      \
+   "LD_AUDIT\0"								      \
+   "LD_DEBUG\0"								      \
+
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Subject: [committed 2/2] tunables: Terminate if end of input is reached
+ (CVE-2023-4911)
+Date: Tue,  3 Oct 2023 13:08:11 -0400
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+
+This also fixes up tst-env-setuid-tunables to actually handle failures
+correct and add new tests to validate the fix for this CVE.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+---
+ NEWS                          |  5 +++++
+ elf/dl-tunables.c             | 17 +++++++++-------
+ elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++--------
+ 3 files changed, 44 insertions(+), 15 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index a94650da64..cc4b81f0ac 100644
+--- a/NEWS
++++ b/NEWS
+@@ -64,6 +64,11 @@ Security related changes:
+   an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+   AI_ALL and AI_V4MAPPED flags set.
+ 
++  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
++  environment of a setuid program and NAME is valid, it may result in a
++  buffer overflow, which could be exploited to achieve escalated
++  privileges.  This flaw was introduced in glibc 2.34.
++
+ The following bugs are resolved with this release:
+ 
+   [The release manager will add the list generated by
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 62b7332d95..cae67efa0a 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ 
+ /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 7dfb0e073a..f0b92c97e7 100644
+--- a/elf/tst-env-setuid-tunables.c
++++ b/elf/tst-env-setuid-tunables.c
+@@ -50,6 +50,8 @@ const char *teststrings[] =
+   "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+   "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+   "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.check=2",
+   "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+   "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+   ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -68,6 +70,8 @@ const char *resultstrings[] =
+   "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "",
+   "",
+   "",
+   "",
+@@ -88,11 +88,18 @@ test_child (int off)
+   const char *val = getenv ("GLIBC_TUNABLES");
+ 
+ #if HAVE_TUNABLES
++  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
++  fflush (stdout);
+   if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+     return 0;
+ 
+   if (val != NULL)
+-    printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
++    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
++           off, val, resultstrings[off]);
++  else
++    printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
++
++  fflush (stdout);
+ 
+   return 1;
+ #else
+@@ -106,21 +117,26 @@ do_test (int argc, char **argv)
+       if (ret != 0)
+ 	exit (1);
+ 
+-      exit (EXIT_SUCCESS);
++      /* Special return code to make sure that the child executed all the way
++	 through.  */
++      exit (42);
+     }
+   else
+     {
+-      int ret = 0;
+-
+       /* Spawn tests.  */
+       for (int i = 0; i < array_length (teststrings); i++)
+ 	{
+ 	  char buf[INT_BUFSIZE_BOUND (int)];
+ 
+-	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
++	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ 	  snprintf (buf, sizeof (buf), "%d\n", i);
++	  fflush (stdout);
+ 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+-	    exit (1);
++	    {
++	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
++	      support_record_failure ();
++	      continue;
++	    }
+ 
+ 	  int status = support_capture_subprogram_self_sgid (buf);
+ 
+@@ -128,9 +144,14 @@ do_test (int argc, char **argv)
+ 	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ 	    return EXIT_UNSUPPORTED;
+ 
+-	  ret |= status;
++	  if (WEXITSTATUS (status) != 42)
++	    {
++	      printf ("    [%d] child failed with status %d\n", i,
++		      WEXITSTATUS (status));
++	      support_record_failure ();
++	    }
+ 	}
+-      return ret;
++      return 0;
+     }
+ }
+ 
diff --git a/srcpkgs/glibc/template b/srcpkgs/glibc/template
index 452b55c127624..98de6ad7412ed 100644
--- a/srcpkgs/glibc/template
+++ b/srcpkgs/glibc/template
@@ -1,7 +1,7 @@
 # Template file for 'glibc'
 pkgname=glibc
 version=2.36
-revision=1
+revision=2
 _patchver="72-g0f90d6204d"
 bootstrap=yes
 short_desc="GNU C library"

Re: [PR REVIEW] glibc: backport patch to fix CVE-2023-4911

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 180 bytes --]

New review comment by Johnnynator on void-packages repository

https://github.com/void-linux/void-packages/pull/46415#discussion_r1344704181

Comment:
Removed most of the headers.

Re: [PR PATCH] [Updated] glibc: backport patch to fix CVE-2023-4911

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]

There is an updated pull request by Johnnynator against master on the void-packages repository

https://github.com/Johnnynator/void-packages CVE-2023-4911
https://github.com/void-linux/void-packages/pull/46415

glibc: backport patch to fix CVE-2023-4911
https://lwn.net/ml/oss-security/20231003175031.GA16924@localhost.localdomain/


A patch file from https://github.com/void-linux/void-packages/pull/46415.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-CVE-2023-4911-46415.patch --]
[-- Type: text/x-diff, Size: 8290 bytes --]

From fd2b430dcb2db1fd692a3f83885d9738a08feeaa Mon Sep 17 00:00:00 2001
From: John <me@johnnynator.dev>
Date: Tue, 3 Oct 2023 22:08:47 +0200
Subject: [PATCH] glibc: backport patch to fix CVE-2023-4911

https://lwn.net/ml/oss-security/20231003175031.GA16924@localhost.localdomain/
---
 ...te-GLIBC_TUNABLES-in-setxid-binaries.patch | 205 ++++++++++++++++++
 srcpkgs/glibc/template                        |   2 +-
 2 files changed, 206 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch

diff --git a/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch b/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
new file mode 100644
index 0000000000000..31e1a2048eaf4
--- /dev/null
+++ b/srcpkgs/glibc/patches/committed-1-2-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
@@ -0,0 +1,205 @@
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Subject: [committed 1/2] Propagate GLIBC_TUNABLES in setxid binaries
+Date: Tue,  3 Oct 2023 13:08:10 -0400
+
+GLIBC_TUNABLES scrubbing happens earlier than envvar scrubbing and some
+tunables are required to propagate past setxid boundary, like their
+env_alias.  Rely on tunable scrubbing to clean out GLIBC_TUNABLES like
+before, restoring behaviour in glibc 2.37 and earlier.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+---
+ sysdeps/generic/unsecvars.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
+index 81397fb90b..8278c50a84 100644
+--- a/sysdeps/generic/unsecvars.h
++++ b/sysdeps/generic/unsecvars.h
+@@ -1,16 +1,9 @@
+-#if !HAVE_TUNABLES
+-# define GLIBC_TUNABLES_ENVVAR "GLIBC_TUNABLES\0"
+-#else
+-# define GLIBC_TUNABLES_ENVVAR
+-#endif
+-
+ /* Environment variable to be removed for SUID programs.  The names are
+    all stuffed in a single string which means they have to be terminated
+    with a '\0' explicitly.  */
+ #define UNSECURE_ENVVARS \
+   "GCONV_PATH\0"							      \
+   "GETCONF_DIR\0"							      \
+-  GLIBC_TUNABLES_ENVVAR							      \
+   "HOSTALIASES\0"							      \
+   "LD_AUDIT\0"								      \
+   "LD_DEBUG\0"								      \
+
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Subject: [committed 2/2] tunables: Terminate if end of input is reached
+ (CVE-2023-4911)
+Date: Tue,  3 Oct 2023 13:08:11 -0400
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+
+This also fixes up tst-env-setuid-tunables to actually handle failures
+correct and add new tests to validate the fix for this CVE.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+---
+ NEWS                          |  5 +++++
+ elf/dl-tunables.c             | 17 +++++++++-------
+ elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++--------
+ 3 files changed, 44 insertions(+), 15 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index a94650da64..cc4b81f0ac 100644
+--- a/NEWS
++++ b/NEWS
+@@ -64,6 +64,11 @@ Security related changes:
+   an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+   AI_ALL and AI_V4MAPPED flags set.
+ 
++  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
++  environment of a setuid program and NAME is valid, it may result in a
++  buffer overflow, which could be exploited to achieve escalated
++  privileges.  This flaw was introduced in glibc 2.34.
++
+ The following bugs are resolved with this release:
+ 
+   [The release manager will add the list generated by
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 62b7332d95..cae67efa0a 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ 
+ /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 7dfb0e073a..f0b92c97e7 100644
+--- a/elf/tst-env-setuid-tunables.c
++++ b/elf/tst-env-setuid-tunables.c
+@@ -50,6 +50,8 @@ const char *teststrings[] =
+   "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+   "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+   "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.check=2",
+   "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+   "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+   ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -68,6 +70,8 @@ const char *resultstrings[] =
+   "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
+   "glibc.malloc.mmap_threshold=4096",
++  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++  "",
+   "",
+   "",
+   "",
+@@ -88,11 +88,18 @@ test_child (int off)
+   const char *val = getenv ("GLIBC_TUNABLES");
+ 
+ #if HAVE_TUNABLES
++  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
++  fflush (stdout);
+   if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+     return 0;
+ 
+   if (val != NULL)
+-    printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
++    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
++           off, val, resultstrings[off]);
++  else
++    printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
++
++  fflush (stdout);
+ 
+   return 1;
+ #else
+@@ -106,21 +117,26 @@ do_test (int argc, char **argv)
+       if (ret != 0)
+ 	exit (1);
+ 
+-      exit (EXIT_SUCCESS);
++      /* Special return code to make sure that the child executed all the way
++	 through.  */
++      exit (42);
+     }
+   else
+     {
+-      int ret = 0;
+-
+       /* Spawn tests.  */
+       for (int i = 0; i < array_length (teststrings); i++)
+ 	{
+ 	  char buf[INT_BUFSIZE_BOUND (int)];
+ 
+-	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
++	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ 	  snprintf (buf, sizeof (buf), "%d\n", i);
++	  fflush (stdout);
+ 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+-	    exit (1);
++	    {
++	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
++	      support_record_failure ();
++	      continue;
++	    }
+ 
+ 	  int status = support_capture_subprogram_self_sgid (buf);
+ 
+@@ -128,9 +144,14 @@ do_test (int argc, char **argv)
+ 	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ 	    return EXIT_UNSUPPORTED;
+ 
+-	  ret |= status;
++	  if (WEXITSTATUS (status) != 42)
++	    {
++	      printf ("    [%d] child failed with status %d\n", i,
++		      WEXITSTATUS (status));
++	      support_record_failure ();
++	    }
+ 	}
+-      return ret;
++      return 0;
+     }
+ }
+ 
diff --git a/srcpkgs/glibc/template b/srcpkgs/glibc/template
index 452b55c127624..98de6ad7412ed 100644
--- a/srcpkgs/glibc/template
+++ b/srcpkgs/glibc/template
@@ -1,7 +1,7 @@
 # Template file for 'glibc'
 pkgname=glibc
 version=2.36
-revision=1
+revision=2
 _patchver="72-g0f90d6204d"
 bootstrap=yes
 short_desc="GNU C library"

Re: [PR PATCH] [Merged]: glibc: backport patch to fix CVE-2023-4911

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 254 bytes --]

There's a merged pull request on the void-packages repository

glibc: backport patch to fix CVE-2023-4911
https://github.com/void-linux/void-packages/pull/46415

Description:
https://lwn.net/ml/oss-security/20231003175031.GA16924@localhost.localdomain/

Re: [PR REVIEW] glibc: backport patch to fix CVE-2023-4911

[MarijnS95]

[-- Attachment #1: Type: text/plain, Size: 415 bytes --]

New review comment by MarijnS95 on void-packages repository

https://github.com/void-linux/void-packages/pull/46415#discussion_r1354560610

Comment:
Just sanity-checking myself here: I'm doing a [custom rootfs build](https://github.com/SoMainline/void-bootstrap) courtesy of @JamiKettunen, and it's failing on `unresolved shlibs`. Should the revision suffix in `common/shlibs` have been bumped to `glibc-2.36_2`?

Re: [PR REVIEW] glibc: backport patch to fix CVE-2023-4911

[MarijnS95]

[-- Attachment #1: Type: text/plain, Size: 440 bytes --]

New review comment by MarijnS95 on void-packages repository

https://github.com/void-linux/void-packages/pull/46415#discussion_r1354560610

Comment:
Just sanity-checking myself here: I'm doing a [custom rootfs build](https://github.com/SoMainline/void-bootstrap) courtesy of @JamiKettunen, and it's failing on `unresolved shlibs` from the `glibc` package. Should the revision suffix in `common/shlibs` have been bumped to `glibc-2.36_2`?

Re: [PR REVIEW] glibc: backport patch to fix CVE-2023-4911

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 269 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/46415#discussion_r1354574282

Comment:
no

that error probably means there's something being installed that was removed from the repositories at some point

Re: [PR REVIEW] glibc: backport patch to fix CVE-2023-4911

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 396 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/46415#discussion_r1354574282

Comment:
no

that error probably means there's something being installed that was removed from the repositories at some point

the full error message is generally useful to include but also this is not the place to discuss this. create an issue instead

Re: [PR REVIEW] glibc: backport patch to fix CVE-2023-4911

[MarijnS95]

[-- Attachment #1: Type: text/plain, Size: 466 bytes --]

New review comment by MarijnS95 on void-packages repository

https://github.com/void-linux/void-packages/pull/46415#discussion_r1354724854

Comment:
I did not want to spam a massive error message here for something that's likely broken on our end in either the script or our (dated!) package overlay(s).

In any case, substituting `glibc-2.36_1` for `glibc-2.36_2` in `common/shlibs` _fixes it_. I'll leave it to @JamiKettunen to sort out whether that's expected.