Bug 16375

Summary: libunwind new security issue CVE-2015-3239
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/650889/
Whiteboard: MGA4TOO advisory has_procedure mga5-64-ok MGA4-64-OK
Source RPM: libunwind-1.1-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-07-13 19:43:33 CEST 
Debian-LTS has issued an advisory on July 12:
http://lwn.net/Alerts/650875/

RedHat has a link to the upstream commit (and bug report) to fix the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3239

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-13 19:43:48 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-21 18:06:43 CEST 
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

This package is only used for building our kernel package.

Advisory:
========================

Updated libunwind packages fix security vulnerability:

An invalid DW_OP_bregXX opcodes can access dwarf_to_unw_regnum_map one item
past the end (CVE-2015-3239).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3239
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162200.html
========================

Updated packages in core/updates_testing:
========================
libunwind-1.1-2.1.mga4
libunwind-devel-1.1-2.1.mga4
libunwind-1.1-4.1.mga5
libunwind-devel-1.1-4.1.mga5

from SRPMS:
libunwind-1.1-2.1.mga4.src.rpm
libunwind-1.1-4.1.mga5.src.rpm

Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
CC: (none) => tmb
Version: Cauldron => 5
Assignee: tmb => qa-bugs

Dave Hodgins 2015-07-28 16:15:48 CEST

Whiteboard: MGA4TOO => MGA4TOO advisory
CC: (none) => davidwhodgins

Comment 2 Lewis Smith 2015-07-28 21:03:20 CEST 
(In reply to David Walser from comment #1)

> This package is only used for building our kernel package.
In which case, can it be tested otherwise? Or does it need to be tested by someone who builds kernels? If the latter, how do we organise this?

CC: (none) => lewyssmith

Comment 3 David Walser 2015-07-28 21:29:58 CEST 
Thomas could validate this himself if he wanted, but otherwise anyone can test building the kernel package from our SVN or Source RPM.

For instance, if you have rpm-build, bm, and mgarepo installed, you should be able to do:
mgarepo co -d 5 kernel
cd kernel
./build_sources
bm -ls
su -c 'urpmi SRPMS/kernel*.rpm'
bm -l

You're probably OK if it builds fine, but you could test one of the built kernels too if you wanted.  I'm not sure exactly what libunwind is used for in our kernel built process, especially since the kernel-linus package didn't also BuildRequire it.
Comment 4 claire robinson 2015-07-29 13:35:10 CEST 
Testing complete mga5 64

The rpm in 64bit is libunwind rather than lib64unwind. Is that expected?

libunwind is required by perf.

# urpmq --whatrequires libunwind
libunwind
libunwind-devel
libunwind-devel
perf
weston

Tested as below

# perf bench mem memcpy

# Running 'mem/memcpy' benchmark:
# Copying 1MB Bytes ...

       2.618130 GB/Sec
       1.593087 GB/Sec (with prefault)

Whiteboard: MGA4TOO advisory => MGA4TOO advisory mga5-64-ok

claire robinson 2015-07-29 13:36:06 CEST

Whiteboard: MGA4TOO advisory mga5-64-ok => MGA4TOO advisory has_procedure mga5-64-ok

Comment 5 David Walser 2015-07-29 14:05:03 CEST 
(In reply to claire robinson from comment #4)
> The rpm in 64bit is libunwind rather than lib64unwind. Is that expected?

Yes, the SRPM name is libunwind, so the main package is creates is called that.  lib64 stuff is only for library subpackages.

> libunwind is required by perf.

Ahh, that makes sense, and explains why kernel-linus doesn't need it.  Thanks.
Comment 6 Lewis Smith 2015-08-02 21:50:00 CEST 
Testing Mageia 4 x64

Thanks for Claire's intervention Comment 4.
BEFORE: libunwind-1.1-2.mga4
# perf bench mem memcpy
# Running 'mem/memcpy' benchmark:
# Copying 1MB Bytes ...
     993.048659 MB/Sec
     951.474786 MB/Sec (with prefault)

AFTER: libunwind-1.1-2.1.mga4
# perf bench mem memcpy
# Running 'mem/memcpy' benchmark:
# Copying 1MB Bytes ...
       1.086276 GB/Sec
     951.474786 MB/Sec (with prefault)

i.e. it still works, the update deemed OK.

Whiteboard: MGA4TOO advisory has_procedure mga5-64-ok => MGA4TOO advisory has_procedure mga5-64-ok MGA4-64-OK

Dave Hodgins 2015-08-10 05:50:51 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-08-10 16:33:06 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0307.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED