(experimental vulnerability issue) CVE-2024-2961

[dervoeti]

View observations in SecObserve

Review assessments in SecObserve

---

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

[dervoeti]

The security status of the Red Hat images can be seen in the Red Hat Ecosystem Catalog, e.g. for the Red Hat Universal Base Image 9 Minimal.

At the time of writing, the Red Hat Universal Base Image 9 Minimal "does not contain known unapplied security advisories". However, the vulnerability scanners find a lot of open CVEs, e.g. CVE-2024-2961. According to the table in the Affected Packages and Issued Red Hat Security Errata section, Red Hat Enterprise Linux 9 is affected by this CVE. But it is fixed for Red Hat Enterprise Linux 8, see RHSA-2024:2722 - Security Advisory. Either the security status in the Red Hat Ecosystem Catalog or the table on the CVE page must be wrong.

The description in NVD - CVE-2024-2961 states:

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Therefore, a system is affected if

1. iconv is installed in version 2.39 or older,
2. the vulnerability is not patched, and
3. the ISO-2022-CN-EXT plugin is enabled.

RHSA-2024:2722 lists the package glibc-2.28-236.el8_9.13.x86_64.rpm as fixed. That means that the package glibc-2.28-236.el8_9.12.x86_64.rpm is affected. This is consistent with the recommendation shown by SecObserve:

Upgrade glibc to version 2.28-236.el8_9.13

Kafka in the SDP 24.3.0 contains the affected version:

$ docker run docker.stackable.tech/stackable/kafka:3.6.1-stackable24.3.0 rpm --query glibc
glibc-2.28-236.el8_9.12.x86_64

The latest UBI8 image contains the patched version:

$ docker run redhat/ubi8-minimal rpm --query glibc
glibc-2.28-236.el8_9.13.x86_64

The latest UBI9 image contains another version which is older than version 2.39 and where the patch status is unknown:

$ docker run redhat/ubi9-minimal rpm --query glibc
glibc-2.34-100.el9.x86_64

So, the Kafka image and the UBI9 image would be affected if the plugin is enabled, but it is disabled:

$ docker run docker.stackable.tech/stackable/kafka:3.6.1-stackable24.3.0 iconv -l | grep -E 'CN-?EXT'
$ docker run redhat/ubi9-minimal iconv -l | grep -E 'CN-?EXT'

It seems that this CVE has no effect on the UBI 8 and 9 images.

However, Red Hat created a ticket and fixed this issue for glibc-2.28 used by UBI8. The question is, if they also applied this patch to glibc-2.34 which is used for UBI9. It happens often that security advisories can be found for older versions but it is not clear if the issue is still fixed in a newer version.

The source RPMs can be downloaded from

• https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/source/SRPMS/Packages/g/glibc-2.28-236.el8_9.13.src.rpm
• https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/source/SRPMS/Packages/g/glibc-2.34-100.el9.src.rpm

The RPM package for glibc-2.28 contains the fix for the CVE-2024-2961 in the file glibc-RHEL-32475.patch. The RPM package for glibc-2.34 does not contain this patch. The patch changes the file iconvdata/iso-2022-cn-ext.c. When comparing this file between the glibc version 2.28 and 2.34, there is no significant difference, so the patch should be applied as well to version 2.34, if it was necessary for version 2.28 (the glibc source code is contained in the SRPM and can also be downloaded from https://ftp.gnu.org/gnu/glibc/):

$ diff glibc-2.28/iconvdata/iso-2022-cn-ext.c glibc-2.34/iconvdata/iso-2022-cn-ext.c
2c2
<    Copyright (C) 2000-2018 Free Software Foundation, Inc.
---
>    Copyright (C) 2000-2021 Free Software Foundation, Inc.
18c18
<    <http://www.gnu.org/licenses/>.  */
---
>    <https://www.gnu.org/licenses/>.  */

On the one hand, Red Hat did not port this patch to the newer glibc version, even if the CVE correctly states that other versions below 2.39 are affected. On the other hand, the CVE has no effect because the ISO-2022-CN-EXT plugin is not enabled.

A deeper look at the RPM spec shows that only the basic plugins (also called modules), like UTF-8, are installed with the glibc package and that the other plugins are outsourced to the glibc-gconv-extra package:

$ docker run -ti redhat/ubi9-minimal bash
[root@7d7c88c32972 /]# microdnf install glibc-gconv-extra

(microdnf:13): librhsm-WARNING **: 18:54:26.675: Found 0 entitlement certificates

(microdnf:13): librhsm-WARNING **: 18:54:26.676: Found 0 entitlement certificates
Downloading metadata...
Downloading metadata...
Downloading metadata...
Package                                                                                                                               Repository                                           Size
Installing:
 glibc-gconv-extra-2.34-100.el9.x86_64                                                                                                ubi-9-baseos-rpms                                  1.8 MB
Transaction Summary:
 Installing:        1 packages
 Reinstalling:      0 packages
 Upgrading:         0 packages
 Obsoleting:        0 packages
 Removing:          0 packages
 Downgrading:       0 packages
Is this ok [y/N]: y
Downloading packages...
Running transaction test...
Installing: glibc-gconv-extra;2.34-100.el9;x86_64;ubi-9-baseos-rpms
Complete.
[root@7d7c88c32972 /]# iconv -l | grep -E 'CN-?EXT'
ISO-2022-CN-EXT//
ISO2022CNEXT//

In summary this means, that CVE-2024-2961 was fixed in UBI8 and appears again in UBI9. The Stackable images are not affected as long as glibc-gconv-extra is not installed.

Assessments

In general: The vulnerability was found in multiple glibc* packages in each image, I only made the assessment for the glibc package itself and marked the other observations in similar packages (like glibc-common) as duplicates.

---

docker.stackable.tech/stackable/krb5:1.18.2-stackable24.3.0@glibc-gconv-extra:2.28-236.el8_9.12

Status	VEX remediations	Text
Affected	No fix planned	There is no fix planned for SDP 24.3. It is fixed in SDP 24.7. An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. This plugin is contained in the package glibc-gconv-extra, which is installed. It is not installed anymore in SDP 24.7.

glibc-common:2.28-236.el8_9.13

Status	VEX remediations	Text
False positive	Vulnerable code not present	Vulnerability fixed according to https://access.redhat.com/errata/RHSA-2024:2722

all other images and packages from 24.3.0 and 0.0.0-dev

Status	VEX justification	Comment
False positive	Vulnerable code not present	An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. This plugin is only contained in the package glibc-gconv-extra, which is not installed.