Version in base suite: 2.31-13+deb11u6

Base version: glibc_2.31-13+deb11u6
Target version: glibc_2.31-13+deb11u7
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/glibc/glibc_2.31-13+deb11u6.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/glibc/glibc_2.31-13+deb11u7.dsc

 changelog                             |    8 ++++
 patches/any/local-CVE-2023-4911.patch |   60 ++++++++++++++++++++++++++++++++++
 patches/series                        |    1 
 3 files changed, 69 insertions(+)

diff -Nru glibc-2.31/debian/changelog glibc-2.31/debian/changelog
--- glibc-2.31/debian/changelog	2023-04-19 21:17:51.000000000 +0000
+++ glibc-2.31/debian/changelog	2023-10-02 20:22:57.000000000 +0000
@@ -1,3 +1,11 @@
+glibc (2.31-13+deb11u7) bullseye-security; urgency=medium
+
+  * debian/patches/any/local-CVE-2023-4911.patch: Fix a buffer overflow in the
+    dynamic loader's processing of the GLIBC_TUNABLES environment variable
+    (CVE-2023-4911).
+
+ -- Aurelien Jarno <aurel32@debian.org>  Mon, 02 Oct 2023 22:22:57 +0200
+
 glibc (2.31-13+deb11u6) bullseye; urgency=medium
 
   [ Aurelien Jarno ]
diff -Nru glibc-2.31/debian/patches/any/local-CVE-2023-4911.patch glibc-2.31/debian/patches/any/local-CVE-2023-4911.patch
--- glibc-2.31/debian/patches/any/local-CVE-2023-4911.patch	1970-01-01 00:00:00.000000000 +0000
+++ glibc-2.31/debian/patches/any/local-CVE-2023-4911.patch	2023-09-28 20:57:58.000000000 +0000
@@ -0,0 +1,60 @@
+From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@redhat.com>
+Date: Mon, 11 Sep 2023 18:53:15 -0400
+Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+---
+Changes from v1:
+
+- Also null-terminate tunestr before exiting.
+
+ elf/dl-tunables.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 8e7ee9df10..76cf8b9da3 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ #endif
+ 
+-- 
+2.41.0
+
diff -Nru glibc-2.31/debian/patches/series glibc-2.31/debian/patches/series
--- glibc-2.31/debian/patches/series	2023-04-17 15:03:06.000000000 +0000
+++ glibc-2.31/debian/patches/series	2023-10-02 20:18:17.000000000 +0000
@@ -169,3 +169,4 @@
 any/git-surplus-tls-accounting.diff
 any/git-ld.so-cache-endianness-markup.diff
 any/local-CVE-2021-33574-mq_notify-use-after-free.diff
+any/local-CVE-2023-4911.patch