====================================================================== CERT-Renater Note d'Information No. 2024/VULN210 _____________________________________________________________________ DATE : 19/04/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GNU C Library. ===================================================================== https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/README;h=b8f8a829ca5ca54d34d0ac562e0dc9a5e99e02d7;hb=HEAD _____________________________________________________________________ 1 GNU C Library Security Advisory Format 2 ====================================== 3 4 Security advisories in this directory follow a simple git commit log 5 format, with a heading and free-format description augmented with tags 6 to allow parsing key information. References to code changes are 7 specific to the glibc repository and follow a specific format: 8 9 Tag-name: (release-version) 10 11 The indicates a specific commit in the repository. The 12 release-version indicates the publicly consumable release in which this 13 commit is known to exist. The release-version is derived from the 14 git-describe format, (i.e. stripped out from glibc-2.34.NNN-gxxxx) and 15 is of the form 2.34-NNN. If the -NNN suffix is absent, it means that 16 the change is in that release tarball, otherwise the change is on the 17 release/2.YY/master branch and not in any released tarball. 18 19 The following tags are currently being used: 20 21 CVE-Id: 22 This is the CVE-Id assigned under the CVE Program 23 (https://www.cve.org/). 24 25 Public-Date: 26 The date this issue became publicly known. 27 28 Vulnerable-Commit: 29 The commit that introduced this vulnerability. There could be multiple 30 entries, one for each release branch in the glibc repository; the 31 release-version portion of this tag should tell you which branch this is 32 on. 33 34 Fix-Commit: 35 The commit that fixed this vulnerability. There could be multiple 36 entries for each release branch in the glibc repository, indicating that 37 all of those commits contributed to fixing that issue in each of those 38 branches. 39 40 Reported-By: 41 The entity that reported this issue. There could be multiple entries, one for 42 each reporter. 43 44 Adding an Advisory 45 ------------------ 46 47 An advisory for a CVE needs to be added on the master branch in two steps: 48 49 1. Add the text of the advisory without any Fix-Commit tags along with 50 the fix for the CVE. Add the Vulnerable-Commit tag, if applicable. 51 The advisories directory does not exist in release branches, so keep 52 the advisory text commit distinct from the code changes, to ease 53 backports. Ask for the GLIBC-SA advisory number from the security 54 team. 55 56 2. Finish all backports on release branches and then back on the msater 57 branch, add all commit refs to the advisory using the Fix-Commit 58 tags. Don't bother adding the release-version subscript since the 59 next step will overwrite it. 60 61 3. Run the process-advisories.sh script in the scripts directory on the 62 advisory: 63 64 scripts/process-advisories.sh update GLIBC-SA-YYYY-NNNN 65 66 (replace YYYY-NNNN with the actual advisory number). 67 68 4. Verify the updated advisory and push the result. 69 70 Getting a NEWS snippet from advisories 71 -------------------------------------- 72 73 Run: 74 75 scripts/process-advisories.sh news 76 77 and copy the content into the NEWS file. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================