Bug 1189426 (CVE-2021-38604)

Summary: VUL-0: CVE-2021-38604: glibc: In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: lukas.lansky, meissner, ncutler, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/307148/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-38604:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2021-08-13 11:53:30 UTC 
CVE-2021-38604

In librt in the GNU C Library (aka glibc) through 2.34,
sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data,
leading to a NULL pointer dereference. NOTE: this vulnerability was introduced
as a side effect of the CVE-2021-33574 fix.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38604
https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641
https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
Comment 1 Marcus Meissner 2021-08-13 11:54:11 UTC 
see bug 1186489
Comment 2 Andreas Schwab 2021-10-07 10:16:20 UTC 
None of our products are affected.
Comment 3 Lukas Lansky 2021-10-26 13:26:37 UTC 
(In reply to Andreas Schwab from comment #2)
> None of our products are affected.

Why? It seems to me glibc up to (including) 2.34 are affected. Thus Carwos (we get glibc from SUSE:SLE-15:Update) is affected. Or how should I understand this comment? Thanks.


Reason for asking: this CVE came up recently in the list of CVE from the customer they want some information about (e.g. it is or will it be fixed in Carwos etc.)
Comment 9 Marcus Meissner 2021-12-08 15:04:14 UTC 
so just for completeness:

As we fixed the original CVE CVE-2021-33574,  bug 1186489, we have already folded in this followup fix into patch mq-notify-use-after-free.patch
Comment 10 Marcus Meissner 2022-11-25 09:55:49 UTC 
released