Analyze CVE-2024-2961 affecting glibc
-
https://rockylinux.org/news/glibc-vulnerability-april-2024/
First, let us check if the system has the compromised set, running
iconv -l | grep -E 'CN-?EXT'
Tails 6.2 is vulnerable
-
https://bugzilla.redhat.com/show_bug.cgi?id=2273404
The iconv plugin ISO-2022-CN-EXT, when converting from UCS4, might trigger a OOB write. The encoding requires to add escape sequence to indicate where it changes the character set (as described by RFC 1922) and while the bounds check is done by the SOdesignation designation, it is missing for SS2designation and SS3designation. This leads to an overflow of 1, 2, or 3 bytes with fixed values:
$+I
,$+J
,$+K
,$+L
,$+M
, or ,$*H
. -
https://www.offensivecon.org/speakers/2024/charles-fol.html
Despite being reachable in multiple well-known libraries or programs, it proved rarely exploitable. Indeed, this was not a foos bug: with hard-to-achieve preconditions, it did not even provide a nice primitive. On PHP however, it lead to amazing results: a new exploitation technique that affects the whole PHP ecosystem, and the compromission of several applications.
-
https://lists.debian.org/debian-security-announce/2024/msg00082.html
For the stable distribution (bookworm), this problem has been fixed in version 2.36-9+deb12u6.
-
https://garrettmills.dev/blog/2024/04/22/Mitigating-the-iconv-Vulnerability-for-PHP-CVE-2024-2961/
Has instructions for disabling the affected encodings, as an alternative mitigation.
The prepared-but-not-yet-released Tails 6.2 is vulnerable, so we might have to follow up with an emergency 6.2.1 release ASAP, unless analysis finds mitigating factors.