Want to subscribe to topics you're interested in?
Become a Member

Security glibc iconv module CVE-2024-2961 vulnerability mitigation fix

Discussion in 'System Administration' started by eva2000, Apr 26, 2024.

  1. eva2000

    eva2000 Administrator Staff Member

    52,186
    11,998
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,501
    Local Time:
    2:35 PM
    Nginx 1.25.x
    MariaDB 10.x

    glibc iconv CVE-2024-2961 vulnerability



    The CVE-2024-2961 issue involves a vulnerability in the software library, glibc, which could potentially allow unauthorized actions on a computer if exploited. This vulnerability is associated with the way text encoding conversions are handled, specifically affecting certain character sets used in text files.

    CVE-2024-2961 is a vulnerability found in the GNU C Library (glibc), particularly in the iconv module, which is responsible for converting text between different character encodings. The flaw is specific to the handling of the ISO-2022-CN-EXT character encoding, which could be exploited to execute arbitrary code or disrupt services by manipulating the conversion process to cause buffer overflows or other unexpected behaviors.

    For users of Centmin Mod, updates have been made in versions 124.00stable and 130.00beta01 to address this vulnerability. A new script, /usr/local/src/centminmod/tools/iconv-fixes.sh, has been introduced. You can manually run this script after executing cmupdate to obtain it, or it will automatically apply when you run cmupdate command and then run and exit the centmin.sh menu after an update. This proactive step ensures your system is safeguarded against potential exploits related to this issue.

    EL7 OS example shell script run



    This iconv command and grep filter checks if ISO-2022-CN-EXT character encoding exists in iconv. If it doesn't exist, the command would return an empty result instead of the 2 lines which are loaded by default.
    Code (Text):
    iconv -l | grep -E 'CN-?EXT'
    ISO-2022-CN-EXT//
    ISO2022CNEXT//
    


    manually ran iconv-fixes.sh script from /usr/local/src/centminmod/tools directory

    Code (Text):
    ./iconv-fixes.sh
    iconv CVE-2024-2961 mitigation fix for: /usr/lib64/gconv/gconv-modules
    Backup of /usr/lib64/gconv/gconv-modules created at /usr/lib64/gconv/gconv-modules.20240425-213935.
    Before modification:
    alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
    module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
    module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
    Modifications applied to /usr/lib64/gconv/gconv-modules.
    iconv cache regenerated.
    After modification:
    #alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
    #module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
    #module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
    Configuration file not found at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.
    


    silent mode with -s flag doesn't return any output now

    Code (Text):
    ./iconv-fixes.sh -s
    



    Verify that it's fixed by running below command again, should return an empty result now.
    Code (Text):
    iconv -l | grep -E 'CN-?EXT'
    


    Code (Text):
    cat /root/centminlogs/iconv_fix_20240425-214150.log
    iconv CVE-2024-2961 mitigation fix for: /usr/lib64/gconv/gconv-modules
    Backup of /usr/lib64/gconv/gconv-modules created at /usr/lib64/gconv/gconv-modules.20240425-214150.
    Before modification:
    alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
    module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
    module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
    Modifications applied to /usr/lib64/gconv/gconv-modules.
    iconv cache regenerated.
    After modification:
    #alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
    #module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
    #module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
    Configuration file not found at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.
    


    Verify that it's fixed by running below command again, should return an empty result now.
    Code (Text):
    iconv -l | grep -E 'CN-?EXT'
    



    EL8+ OS example shell script run



    This iconv command and grep filter checks if ISO-2022-CN-EXT character encoding exists in iconv. If it doesn't exist, the command would return an empty result instead of the 2 lines which are loaded by default.
    Code (Text):
    iconv -l | grep -E 'CN-?EXT'
    ISO-2022-CN-EXT//
    ISO2022CNEXT//
    


    manually ran iconv-fixes.sh script from /usr/local/src/centminmod/tools directory

    Code (Text):
    ./iconv-fixes.sh                                                                      
    No vulnerable charset lines found in /usr/lib64/gconv/gconv-modules, no action required.
    iconv CVE-2024-2961 mitigation fix for: /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
    Backup of /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf created at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.20240425-163503.
    Before modification:
    alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
    module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
    module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
    Modifications applied to /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.
    iconv cache regenerated.
    After modification:
    #alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
    #module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
    #module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
    


    silent mode with -s flag doesn't return any output now

    Code (Text):
    ./iconv-fixes.sh -s
    


    Verify that it's fixed by running below command again, should return an empty result now.
    Code (Text):
    iconv -l | grep -E 'CN-?EXT'
    


    Code (Text):
    cat /root/centminlogs/iconv_fix_20240425-163724.log
    No vulnerable charset lines found in /usr/lib64/gconv/gconv-modules, no action required.
    iconv CVE-2024-2961 mitigation fix for: /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
    Backup of /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf created at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.20240425-163724.
    Before modification:
    alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
    module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
    module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
    Modifications applied to /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.
    iconv cache regenerated.
    After modification:
    #alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
    #module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
    #module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
    


    Verify that it's fixed by running below command again, should return an empty result now.
    Code (Text):
    iconv -l | grep -E 'CN-?EXT'
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    52,186
    11,998
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,501
    Local Time:
    2:35 PM
    Nginx 1.25.x
    MariaDB 10.x
    While not a PHP security bug, php folks have addressed this glibc iconv security vulnerability at PHP: Hypertext Preprocessor