From 33b94bcc9c05045b5ad5bfcdcc5bc4d6c4570c5b Mon Sep 17 00:00:00 2001
From: yueyaoqiang <yueyaoqiang@kylinos.cn>
Date: Fri, 26 Apr 2024 15:50:42 +0800
Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup
 cache (bug 31677)

---
 glibc.spec                                    |  6 +++++-
 ...low-in-netgroup-cache-CVE-2024-33599.patch | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch

diff --git a/glibc.spec b/glibc.spec
index 45b706d..859efaf 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -67,7 +67,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.38
-Release: 	26
+Release: 	27
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -171,6 +171,7 @@ Patch82: LoongArch-Update-hwcap.h-to-sync-with-LoongArch-kern.patch
 Patch83: linux-Sync-Linux-6.6-elf.h.patch
 Patch84: Decrease-value-of-arch_minimum_kernel-with-LoongArch.patch
 Patch85: iconv-ISO-2022-CN-EXT-fix-out-of-bound-writes-when-w.patch
+Patch86: nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch
 
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: locale-delete-no-hard-link-to-avoid-all_language-pac.patch 
@@ -1393,6 +1394,9 @@ fi
 %endif
 
 %changelog
+* Fri Apr 26 2024 yueyaoqiang <yueyaoqiang@kylinos.cn> -  2.38-27
+- CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677)
+
 * Tue Apr 23 2024 Yang Yanchao <yangyanchao6@huawei.com> - 2.38-26
 - iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961)
 
diff --git a/nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch b/nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch
new file mode 100644
index 0000000..15b0398
--- /dev/null
+++ b/nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch
@@ -0,0 +1,19 @@
+diff -Naur glibc-2.38/nscd/netgroupcache.c glibc-2.38_cve/nscd/netgroupcache.c
+--- glibc-2.38/nscd/netgroupcache.c	2023-08-01 01:54:16.000000000 +0800
++++ glibc-2.38_cve/nscd/netgroupcache.c	2024-04-26 15:35:55.952733135 +0800
+@@ -502,12 +502,13 @@
+       = (struct indataset *) mempool_alloc (db,
+ 					    sizeof (*dataset) + req->key_len,
+ 					    1);
+-  struct indataset dataset_mem;
+   bool cacheable = true;
+   if (__glibc_unlikely (dataset == NULL))
+     {
+       cacheable = false;
+-      dataset = &dataset_mem;
++      /* The alloca is safe because nscd_run_worker verfies that
++	 key_len is not larger than MAXKEYLEN.  */
++      dataset = alloca (sizeof (*dataset) + req->key_len);
+     }
+ 
+   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
-- 
Gitee