From ec53b9158cbf423bf4406ae29b5eb94b765af31c Mon Sep 17 00:00:00 2001 From: Patsy Griffin Date: Tue, 11 Jun 2024 20:43:06 -0400 Subject: [PATCH] CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX. Resolves: RHEL-34268 --- glibc-RHEL-34268-1.patch | 53 ++++++++++++++++++++++++++++++++++++++++ glibc-RHEL-34268-2.patch | 52 +++++++++++++++++++++++++++++++++++++++ glibc.spec | 8 +++++- 3 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 glibc-RHEL-34268-1.patch create mode 100644 glibc-RHEL-34268-2.patch diff --git a/glibc-RHEL-34268-1.patch b/glibc-RHEL-34268-1.patch new file mode 100644 index 0000000..4642d7a --- /dev/null +++ b/glibc-RHEL-34268-1.patch @@ -0,0 +1,53 @@ +commit b048a482f088e53144d26a61c390bed0210f49f2 +Author: Florian Weimer +Date: Thu Apr 25 15:01:07 2024 +0200 + + CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bug 31678) + + The addgetnetgrentX call in addinnetgrX may have failed to produce + a result, so the result variable in addinnetgrX can be NULL. + Use db->negtimeout as the fallback value if there is no result data; + the timeout is also overwritten below. + + Also avoid sending a second not-found response. (The client + disconnects after receiving the first response, so the data stream did + not go out of sync even without this fix.) It is still beneficial to + add the negative response to the mapping, so that the client can get + it from there in the future, instead of going through the socket. + + Reviewed-by: Siddhesh Poyarekar + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index c18fe111f3..e22ffa5884 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, + sizeof (innetgroup_response_header), +- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); ++ he == NULL ? 0 : dh->nreloads + 1, ++ result == NULL ? db->negtimeout : result->head.ttl); + /* Set the notfound status and timeout based on the result from + getnetgrent. */ +- dataset->head.notfound = result->head.notfound; ++ dataset->head.notfound = result == NULL || result->head.notfound; + dataset->head.timeout = timeout; + + dataset->resp.version = NSCD_VERSION; +- dataset->resp.found = result->resp.found; ++ dataset->resp.found = result != NULL && result->resp.found; + /* Until we find a matching entry the result is 0. */ + dataset->resp.result = 0; + +@@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + goto out; + } + +- if (he == NULL) ++ /* addgetnetgrentX may have already sent a notfound response. Do ++ not send another one. */ ++ if (he == NULL && dataset->resp.found) + { + /* We write the dataset before inserting it to the database + since while inserting this thread might block and so would diff --git a/glibc-RHEL-34268-2.patch b/glibc-RHEL-34268-2.patch new file mode 100644 index 0000000..6619d7c --- /dev/null +++ b/glibc-RHEL-34268-2.patch @@ -0,0 +1,52 @@ +commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa +Author: Florian Weimer +Date: Thu Apr 25 15:01:07 2024 +0200 + + CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678) + + If we failed to add a not-found response to the cache, the dataset + point can be null, resulting in a null pointer dereference. + + Reviewed-by: Siddhesh Poyarekar + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index f227dc7fa2..c18fe111f3 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + /* No such service. */ + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + memset (&data, '\0', sizeof (data)); +@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + { + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + total = buffilled; +@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + if (he == NULL && fd != -1) +- { +- /* We write the dataset before inserting it to the database +- since while inserting this thread might block and so would +- unnecessarily let the receiver wait. */ +- writeout: ++ /* We write the dataset before inserting it to the database since ++ while inserting this thread might block and so would ++ unnecessarily let the receiver wait. */ + writeall (fd, &dataset->resp, dataset->head.recsize); +- } + ++ maybe_cache_add: + if (cacheable) + { + /* If necessary, we also propagate the data to disk. */ diff --git a/glibc.spec b/glibc.spec index 222c431..511830b 100644 --- a/glibc.spec +++ b/glibc.spec @@ -155,7 +155,7 @@ end \ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: 111%{?dist} +Release: 112%{?dist} # In general, GPLv2+ is used by programs, LGPLv2+ is used for # libraries. @@ -828,6 +828,8 @@ Patch591: glibc-RHEL-22165-5.patch Patch592: glibc-RHEL-31805.patch Patch593: glibc-RHEL-25063.patch Patch594: glibc-RHEL-34265.patch +Patch595: glibc-RHEL-34268-1.patch +Patch596: glibc-RHEL-34268-2.patch ############################################################################## # Continued list of core "glibc" package information: @@ -2986,6 +2988,10 @@ update_gconv_modules_cache () %endif %changelog +* Tue Jun 11 2024 Patsy Griffin - 2.34-112 +- CVE-2024-33600: nscd: Avoid null pointer crashes after notfound + response (RHEL-34268) + * Mon Jun 10 2024 Patsy Griffin - 2.34-111 - CVE-2024-33599: nscd: buffer overflow in netgroup cache (RHEL-34265)