]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit
projects / thirdparty / openembedded / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0111b5b) | patch
glibc: Fix CVE-2023-4911 "Looney Tunables"
authorMike Crowe <mac@mcrowe.com>
Thu, 5 Oct 2023 20:40:30 +0000 (21:40 +0100)
committerSteve Sakoman <steve@sakoman.com>
Thu, 5 Oct 2023 23:10:56 +0000 (13:10 -1000)
commit9a800a2e2c2b14eab8c1f83cb4ac3b94a70dd23c
tree392664432db0ac1d4bcc3421d26081d023858a5dtree
parent0111b5b152c1bcff0ab26cf8632ca9002237f070commit | diff
glibc: Fix CVE-2023-4911 "Looney Tunables"

Take the patch from the source for Debian's glibc 2.31-13+deb11u7
package, the changelog for which starts with:

 glibc (2.31-13+deb11u7) bullseye-security; urgency=medium

   * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the
     dynamic loader's processing of the GLIBC_TUNABLES environment variable
     (CVE-2023-4911).

This addresses the "Looney Tunables" vulnerability described at
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt

Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
meta/recipes-core/glibc/glibc/CVE-2023-4911.patch [new file with mode: 0644] blob
meta/recipes-core/glibc/glibc_2.31.bb diff | blob | blame | history
Mirror of git://git.openembedded.org/openembedded-core