Bug 12030

Summary: llvm possible security issue (CVE-2013-7171)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: anssi.hannula, cjw, fundawang, mageia, mitya, oe, thierry.vignaud, tmb
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/577350/
Whiteboard:
Source RPM: llvm-3.3-2.mga4.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 11726    

Description David Walser 2013-12-18 00:49:28 CET 
Slackware issued an advisory on December 16:
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.395467

You can find the patch they applied here:
http://mirrors.slackware.com/slackware/slackware-current/source/d/llvm/

It's not clear to me what this vulnerability really is or if fixing this is necessary.  It sounds similar to the libiodbc one that I reported in Bug 12029.

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-18 00:51:08 CET

CC: (none) => anssi.hannula, cjw, fundawang, mageia, mitya, thierry.vignaud, tmb

Comment 1 David Walser 2013-12-19 14:01:05 CET 
More info on this:
http://openwall.com/lists/oss-security/2013/12/19/2
Comment 2 David Walser 2013-12-20 13:54:27 CET 
A CVE was assigned for this:
http://openwall.com/lists/oss-security/2013/12/20/1

Summary: llvm possible security issue => llvm possible security issue (CVE-2013-7171)

David Walser 2013-12-20 23:25:48 CET

Blocks: (none) => 11726

Comment 3 Oden Eriksson 2013-12-23 14:16:27 CET 
for i in `rpm -ql llvm | grep "/usr/bin"`; do objdump -x $i | grep RPATH; done

renders nul.

I'd say this is invalid.

CC: (none) => oe

Comment 4 David Walser 2013-12-23 14:25:21 CET 
Thanks Oden!

Status: NEW => RESOLVED
Resolution: (none) => INVALID