CVE-2023-4911 Looney Tunables: heap overflow in glibc parse_tunables via malformed GLIBC_TUNABLES

CVE-2023-4911 'Looney Tunables' — heap buffer overflow in glibc's dynamic linker (elf/dl-tunables.c) triggered via the GLIBC_TUNABLES environment variable when executing setuid/setgid binaries. Affects glibc 2.34–2.37. Allows local privilege escalation.\n\nThe bug is in parse_tunables() called from __tunables_init() via _dl_start → _dl_main → __tunables_init.\n\nRoot cause: when a malformed tunable value of the form 'name=name=val' is parsed in the AT_SECURE (setuid) path, the loop advancement condition:\n\n if (p[len] != '\0')\n p += len + 1;\n\nfails to advance p when the value ends at end-of-string (p[len] == '\0'). The loop then re-enters with p unchanged, re-parsing the value substring as a new name=value entry. The write-back code (in the __libc_enable_secure path) writes BOTH interpretations into the tunestr buffer, which was only allocated for the original single-interpretation length.\n\nFor input GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=512:\n- Buffer allocated: strlen('glibc.malloc.mxfast=glibc.malloc.mxfast=512') + 2 = 46 bytes from tunestr\n- Iteration 1 writes: 'glibc.malloc.mxfast=glibc.malloc.mxfast=512' (43 bytes, off=43)\n- Iteration 2 writes: ':glibc.malloc.mxfast=512' (24 bytes, off=67)\n- Overflow: 67 - 46 = 21 bytes past end of heap allocation