Bug 13800

Summary: Update request: glibc-2.18-9.2.mga4 and glibc-2.17-7.3.mga3
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, mageia, marja11, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK advisory
Source RPM: glibc CVE:
Status comment:

Description Thomas Backlund 2014-07-25 14:20:00 CEST 
Advisory:

Updated glibc packages fixes security issues:

Stephane Chazelas discovered that directory traversal issue in locale
handling in glibc.  glibc accepts relative paths with ".." components
in the LC_* and LANG variables.  Together with typical OpenSSH
configurations (with suitable AcceptEnv settings in sshd_config), this
could conceivably be used to bypass ForceCommand restrictions (or
restricted shells), assuming the attacker has sufficient level of
access to a file system location on the host to create crafted locale
definitions there. (CVE-2014-0475)

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where
posix_spawn_file_actions_addopen fails to copy the path argument (
https://sourceware.org/bugzilla/show_bug.cgi?id=17048) which can, in
conjunction with many common memory management techniques from an
application, lead to a use after free, or other vulnerabilities.
(CVE-2014-4043)

This update also fixes the following issues:
x86: Disable x87 inline functions for SSE2 math (glibc bz #16510)
malloc: Fix race in free() of fastbin chunk (glibc bz #15073)


Mga3:
SRPMS:
glibc-2.17-7.3.mga3.src.rpm

i586:
glibc-2.17-7.3.mga3.i586.rpm
glibc-devel-2.17-7.3.mga3.i586.rpm
glibc-doc-2.17-7.3.mga3.noarch.rpm
glibc-i18ndata-2.17-7.3.mga3.i586.rpm
glibc-profile-2.17-7.3.mga3.i586.rpm
glibc-static-devel-2.17-7.3.mga3.i586.rpm
glibc-utils-2.17-7.3.mga3.i586.rpm
nscd-2.17-7.3.mga3.i586.rpm

x86_64:
glibc-2.17-7.3.mga3.x86_64.rpm
glibc-devel-2.17-7.3.mga3.x86_64.rpm
glibc-doc-2.17-7.3.mga3.noarch.rpm
glibc-i18ndata-2.17-7.3.mga3.x86_64.rpm
glibc-profile-2.17-7.3.mga3.x86_64.rpm
glibc-static-devel-2.17-7.3.mga3.x86_64.rpm
glibc-utils-2.17-7.3.mga3.x86_64.rpm
nscd-2.17-7.3.mga3.x86_64.rpm


Mga4:
SRPMS:
glibc-2.18-9.1.mga4.src.rpm

i586:
glibc-2.18-9.1.mga4.i586.rpm
glibc-devel-2.18-9.1.mga4.i586.rpm
glibc-doc-2.18-9.1.mga4.noarch.rpm
glibc-i18ndata-2.18-9.1.mga4.i586.rpm
glibc-profile-2.18-9.1.mga4.i586.rpm
glibc-static-devel-2.18-9.1.mga4.i586.rpm
glibc-utils-2.18-9.1.mga4.i586.rpm
nscd-2.18-9.1.mga4.i586.rpm

x86_64:
glibc-2.18-9.1.mga4.x86_64.rpm
glibc-devel-2.18-9.1.mga4.x86_64.rpm
glibc-doc-2.18-9.1.mga4.noarch.rpm
glibc-i18ndata-2.18-9.1.mga4.x86_64.rpm
glibc-profile-2.18-9.1.mga4.x86_64.rpm
glibc-static-devel-2.18-9.1.mga4.x86_64.rpm
glibc-utils-2.18-9.1.mga4.x86_64.rpm
nscd-2.18-9.1.mga4.x86_64.rpm



Reproducible: 

Steps to Reproduce:
Thomas Backlund 2014-07-25 14:20:53 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Marja Van Waes 2014-07-25 18:19:38 CEST 
I did *not* try the PoC from https://sourceware.org/bugzilla/show_bug.cgi?id=17048#c0 because I don't even understand which language that program is written in, so I don't have a clue how to run it, either.

Anyway, both my old 64bits and my 32bits ThinkPad laptops run fine after updating to 

for 64bits:
glibc-2.18-9.1.mga4
glibc-devel-2.18-9.1.mga4
nscd-2.18-9.1.mga4

for 32bits:
glibc-2.18-9.1.mga4

CC: (none) => marja11

Comment 2 Marja Van Waes 2014-07-25 21:22:47 CEST 
64 bits desktop with KDE (the above mentioned laptops were also with KDE)
after updating to 
glibc-2.18-9.1.mga4
glibc-devel-2.18-9.1.mga4

everything works fine (but I'm aware I didn't by far test all applications that require glibc... there is no end to them)
Comment 3 Marja Van Waes 2014-07-25 21:32:02 CEST 
same 64bits desktop, Mga 3 partition with KDE:

glibc-devel-2.17-7.3.mga3
glibc-2.17-7.3.mga3

I don't see anything odd
Comment 4 Thomas Backlund 2014-07-27 14:01:42 CEST 
the glibc package for mga4 will be rebuilt with a fixed gcc (there is a gcc bug just found and fixed where sched2 miscompiles syscall sequence so it can cause crashes)
Comment 5 Thomas Backlund 2014-07-27 18:27:30 CEST 
mga4 glibc packages rebuilt with new gcc:

SRPM:
glibc-2.18-9.2.mga4.src.rpm

i586:
glibc-2.18-9.2.mga4.i586.rpm
glibc-devel-2.18-9.2.mga4.i586.rpm
glibc-doc-2.18-9.2.mga4.noarch.rpm
glibc-i18ndata-2.18-9.2.mga4.i586.rpm
glibc-profile-2.18-9.2.mga4.i586.rpm
glibc-static-devel-2.18-9.2.mga4.i586.rpm
glibc-utils-2.18-9.2.mga4.i586.rpm
nscd-2.18-9.2.mga4.i586.rpm

x86_64:
glibc-2.18-9.2.mga4.x86_64.rpm
glibc-devel-2.18-9.2.mga4.x86_64.rpm
glibc-doc-2.18-9.2.mga4.noarch.rpm
glibc-i18ndata-2.18-9.2.mga4.x86_64.rpm
glibc-profile-2.18-9.2.mga4.x86_64.rpm
glibc-static-devel-2.18-9.2.mga4.x86_64.rpm
glibc-utils-2.18-9.2.mga4.x86_64.rpm
nscd-2.18-9.2.mga4.x86_64.rpm
Comment 6 Marja Van Waes 2014-07-27 20:27:09 CEST 
Mga 64bits KDE on this system
https://wiki.mageia.org/en/User:Marja/QA/Hardware#NVidia_system_from_Alternate

after updating to 
glibc-2.18-9.2.mga4
glibc-devel-2.18-9.2.mga4

used the system for a while, with several applications and everything works fine
Marja Van Waes 2014-07-27 20:27:51 CEST

Summary: Update request: glibc-2.18-9.1.mga4 and glibc-2.17-7.3.mga3 => Update request: glibc-2.18-9.2.mga4 and glibc-2.17-7.3.mga3

Comment 7 Marja Van Waes 2014-07-27 22:15:39 CEST 
Mga 32bits KDE on this system
https://wiki.mageia.org/en/User:Marja/QA/Hardware#IBM_ThinkPad_R50e

after updating to 
glibc-devel-2.18-9.2.mga4
glibc-2.18-9.2.mga4

used the system for a while, with several applications and everything works fine
Comment 8 Marja Van Waes 2014-07-28 15:17:42 CEST 
Mga 64bits KDE on this system:
https://wiki.mageia.org/en/User:Marja/QA/Hardware#Lenovo_ThinkPad_SL510

after updating to:

glibc-2.18-9.2.mga4
glibc-devel-2.18-9.2.mga4
nscd-2.18-9.2.mga4

used the system for a while, with several applications, and everything tested works fine.
Comment 9 David GEIGER 2014-07-29 15:32:08 CEST 
Tested mga4_64,

Testing complete for the new glibc-2.18-9.2.mga4, Ok for me and seems to work properly.

- glibc-devel-2.18-9.2.mga4.x86_64.rpm
- glibc-2.18-9.2.mga4.x86_64.rpm
- nscd-2.18-9.2.mga4.x86_64.rpm

No regression found !!

CC: (none) => geiger.david68210
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Marja Van Waes 2014-07-31 22:03:03 CEST

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK

Comment 10 David Walser 2014-07-31 23:20:43 CEST 
No regressions found on Mageia 3 i586 on my Dell Optiplex 990 at work.

This can be pushed once the advisory is uploaded (and ideally at the same time as the kernel updates).

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 11 RĂ©mi Verschelde 2014-08-01 23:31:03 CEST 
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-64-OK MGA3-32-OK advisory

Comment 12 David Walser 2014-08-05 18:22:15 CEST 
LWN reference for CVE-2014-0475:
http://lwn.net/Vulnerabilities/605175/

LWN reference for CVE-2014-4043:
http://lwn.net/Vulnerabilities/607644/
Comment 13 Colin Guthrie 2014-08-05 22:26:04 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0314.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED