#967938 libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent

Package:
src:glibc
Source:
glibc
Submitter:
Jinpu Wang
Date:
2022-01-04 21:45:03 UTC
Severity:
important
Tags:
#967938#5
Date:
2020-08-05 10:52:24 UTC
From:
To:
Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***

#967938#10
Date:
2020-08-05 11:03:21 UTC
From:
To:
Dear Maintainer:

Sorry, add some missing information below:

After update to Buster, the systemd-sysusers are segfaulting every time.
After search around, I found following bugreport in glibc
https://sourceware.org/legacy-ml/libc-alpha/2016-06/msg01015.html

I backported to the fix to 2.28-10, it fixed the problem.

glibc upstream have a different fix for it in 2.32, see
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

I think it's still easier to backport the fix in msg01015.html to 2.28 version,
patch attached in the initial report.

#967938#15
Date:
2020-08-05 16:44:12 UTC
From:
To:
* Jinpu Wang:

The patch from 2016 is incomplete because it does not seek back to the
original file position, so the next call of fgetsgent_r skips over the
entry that could not be fully parsed.

#967938#24
Date:
2020-08-06 04:08:20 UTC
From:
To:
Hi Florian,
Thanks for quick response,  can you provide a minimum bugfix, which
can be easily backported to old version like 2.28?
as you also make the bug 20338 as a security hole.

Regards!
Jinpu

#967938#29
Date:
2020-08-06 10:16:36 UTC
From:
To:
I think we do not want to diverge from the upstream fix, even if it is a
bit more work to backport. We first need to fix it in bullseye/sid and
then we can try to get this in the next buster stable release.

It is marked as "security-", so it is *not* considered as a security
issue (as the content of this file is trusted).

Aurelien

#967938#34
Date:
2020-08-06 10:52:04 UTC
From:
To:
* Aurelien Jarno:

I can backport it to upstream release branches, all the way to version
2.28.  Would that help?

I plan to add local copies of the new functions, so that the
GLIBC_PRIVATE ABI remains unchanged.

But I have other commitments, so that may not happen until
September-ish.

That's right.

#967938#39
Date:
2020-08-07 09:14:38 UTC
From:
To:
Hi,

Yes, that would definitely help. The timing should not be an issue, I
still have to prepare a buster upload.

Thanks,
Aurelien

#967938#46
Date:
2020-08-12 09:20:07 UTC
From:
To:
Hi Florian, hi Aurelien,
I did a backport of your fixes from glibc 2.32 to Buster 2.28, as
patch attached.

I tested with systemd-sysusers, it no longer SEGV.

Can you please review it?

Thanks!
Jinpu

#967938#65
Date:
2022-01-04 21:39:57 UTC
From:
To:
Dear maintainers,

We are still seeing the same SEGV with Bullseye, I did a forward
porting of the minimum bugfix.

Is it possible to get it upstream.

The patch is against glibc 2.31-13+deb11u2.

Thanks! Regards

Jinpu Wang

Sr. Linux Kernel Storage Programmer
Compute Platform Development Cloud

IONOS SE | Revaler Str. 30 | 10245 Berlin | Deutschland
Phone:
E-Mail: jinpu.wang@ionos.com | Web: www.ionos.de

Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 24498

Vorstand: Hüseyin Dogan, Dr. Martin Endreß, Claudia Frese, Henning
Kettler, Arthur Mai, Britta Schmidt, Achim Weiß
Aufsichtsratsvorsitzender: Markus Kadelke


Member of United Internet

Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie
bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu
speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch
immer zu verwenden.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient of this e-mail, you are hereby
notified that saving, distribution or use of the content of this
e-mail in any way is prohibited. If you have received this e-mail in
error, please notify the sender and delete the e-mail.