Bug 13499

Summary: musl new security issue CVE-2014-3484
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: makowski.mageia, sysadmin-bugs, thierry.vignaud, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/602883/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: musl-0.9.14-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-06-09 01:28:34 CEST 
A security issue in musl has been announced on June 7 (or 6 in some timezones):
http://seclists.org/oss-sec/2014/q2/495

It was fixed upstream in 1.1.2, which tv uploaded for Cauldron.

It was also fixed in 1.0.3.  You can see both releases here:
http://freecode.com/projects/musl/releases/364244

A patch was attached to the post I linked at the top.

The version in Mageia 3 is too old to be vulnerable.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated musl package fixes security vulnerability:

A remote stack-based buffer overflow has been found in musl libc's dns
response parsing code. The overflow can be triggered in programs linked
against musl libc and making dns queries via one of the standard interfaces
(getaddrinfo, getnameinfo, gethostbyname, gethostbyaddr, etc.) if one of the
configured nameservers in resolv.conf is controlled by an attacker, or if an
attacker can inject forged udp packets with control over their contents.
Denial of service is also possible via a related failure in loop detection
(CVE-2014-3484).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3484
http://seclists.org/oss-sec/2014/q2/495
========================

Updated packages in core/updates_testing:
========================
musl-devel-0.9.14-2.1.mga4

from musl-0.9.14-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-06-09 01:29:49 CEST 
I don't see any obvious way to test this as it's not required or build required by anything in Mageia from what I can see.

CC: (none) => thierry.vignaud

Comment 2 Thierry Vignaud 2014-06-09 10:05:37 CEST 
Indeed.
I only packaged it in order to test building stage1 with musl instead of dietlibc.
We ended in using glibc instead.
You can just push the package or just try building a small C "hello world" program in order to check it's still working.
Comment 3 David Walser 2014-06-09 23:49:20 CEST 
Thanks for the suggestion Thierry, I didn't even think of that :o)

The only downside to hello world is that it doesn't make use of the code affected by this update.  So, I wrote a small DNS resolver program that uses gethostbyname, which the upstream advisory mentions should make use of the affected code.  I ran my program with the updated musl on Mageia 4 i586 and it works fine.  Interestingly enough, compiled with glibc it doesn't seem to work!  (It always returns host not found).

How to use this program:
- install musl-devel
- save the following code (at the bottom) as lookup.c
- run "musl-gcc -o lookup lookup.c"
- use the "lookup" binary created and give a host as a command line arg:
  lookup www.yahoo.com

It should give some valid output.  I get (for the above example):
Name:           fd-fp3.wg1.b.yahoo.com
Alias 0:        fd-fp3.wg1.b.yahoo.com
Alias 1:        www.yahoo.com
Type:           IPv4
Address 0:      98.139.180.149
Address 1:      98.139.183.24

Code:
#include <stdio.h>
#include <stddef.h>
#include <netdb.h>
extern int h_errno;

int main(int argc, char *argv[]){
  struct hostent *res = gethostbyname(argv[1]);
  char *alias, *address;
  int i = 0, j;
  switch(h_errno) {
    case HOST_NOT_FOUND:
      printf("Host not found\n");
      break;
    case TRY_AGAIN:
      printf("Try again\n");
      break;
    case NO_RECOVERY:
      printf("Non-recoverable error\n");
      break;
    case NO_DATA:
      printf("No data\n");
      break;
    default:
      printf("Name:\t\t%s\n", res->h_name);
      alias = res->h_aliases[i];
      while (alias != NULL) {
        printf("Alias %d:\t%s\n", i, alias);
        alias = res->h_aliases[++i];
      }
      printf("Type:\t\t");
      switch(res->h_addrtype){
        case AF_INET:
          printf("IPv4\n");
          break;
        case AF_INET6:
          printf("IPv6\n");
          break;
        default:
          printf("Unknown %d-byte length address\n", res->h_length);
      }
      i = 0;
      address = res->h_addr_list[i];
      while (address != NULL) {
        printf("Address %d:\t", i);
        for (j=0;j < res->h_length;j++) {
          printf("%hhu", (unsigned)address[j]);
          if (j != res->h_length-1)
            printf(".");
          else
            printf("\n");
        }
        address = res->h_addr_list[++i];
      }
  }
  return h_errno;
}
Comment 4 David Walser 2014-06-09 23:50:09 CEST 
When you run the binary you make, you'll most likely need a ./:
./lookup www.yahoo.com
David Walser 2014-06-10 00:13:11 CEST

Whiteboard: (none) => has_procedure

Comment 5 David Walser 2014-06-17 18:28:34 CEST 
Adding the whiteboard marker for my previous testing (i586).

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 6 Philippe Makowski 2014-06-17 20:21:32 CEST 
same tests ok under x86_64

CC: (none) => makowski.mageia
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 7 claire robinson 2014-06-18 15:23:10 CEST 
Thanks both. Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-06-18 20:01:55 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0262.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-06-19 17:52:22 CEST

URL: (none) => http://lwn.net/Vulnerabilities/602883/