From 06b39fabf23b7120ddeca862f70c81d593e3d21f Mon Sep 17 00:00:00 2001
From: yueyaoqiang <yueyaoqiang@kylinos.cn>
Date: Sun, 28 Apr 2024 10:52:05 +0800
Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup
 cache (bug 31677)

---
 glibc.spec                                    |  6 +++++-
 ...low-in-netgroup-cache-CVE-2024-33599.patch | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch

diff --git a/glibc.spec b/glibc.spec
index 492196e..6c746d1 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -62,7 +62,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.28
-Release: 	98
+Release: 	99
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -160,6 +160,7 @@ Patch73: mips-Fix-argument-passing-for-inlined-syscalls-on-Linux-BZ-25523.patch
 Patch74: backport-CVE-2023-4813.patch
 Patch75: backport-CVE-2023-4806.patch
 Patch76: backport-CVE-2023-5156.patch
+Patch77: nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch
 
 Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)
 
@@ -1276,6 +1277,9 @@ fi
 %endif
 
 %changelog
+* Fri Apr 26 2024 yueyaoqiang <yueyaoqiang@kylinos.cn> - 2.28-99
+- CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677)
+
 * Wed Nov 22 2023 nicunshu <nicunshu@huawei.com> - 2.28-98
 - glibc:remove rpath from some gcov files
 
diff --git a/nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch b/nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch
new file mode 100644
index 0000000..8e3f487
--- /dev/null
+++ b/nscd-Stack-based-buffer-overflow-in-netgroup-cache-CVE-2024-33599.patch
@@ -0,0 +1,19 @@
+diff -Naur glibc-2.28/nscd/netgroupcache.c glibc-2.28_cve/nscd/netgroupcache.c
+--- glibc-2.28/nscd/netgroupcache.c	2019-09-19 20:26:28.000000000 +0800
++++ glibc-2.28_cve/nscd/netgroupcache.c	2024-04-28 10:46:35.535760923 +0800
+@@ -503,12 +503,13 @@
+       = (struct indataset *) mempool_alloc (db,
+ 					    sizeof (*dataset) + req->key_len,
+ 					    1);
+-  struct indataset dataset_mem;
+   bool cacheable = true;
+   if (__glibc_unlikely (dataset == NULL))
+     {
+       cacheable = false;
+-      dataset = &dataset_mem;
++      /* The alloca is safe because nscd_run_worker verfies that
++	 key_len is not larger than MAXKEYLEN.  */
++      dataset = alloca (sizeof (*dataset) + req->key_len);
+     }
+ 
+   datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
-- 
Gitee