Bug 17087

Summary: util-linux new security issue CVE-2015-5218
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/663071/
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory
Source RPM: util-linux-2.25.2-3.1.mga5.src.rpm CVE:
Status comment:
Attachments: Test file for colcrt

Description David Walser 2015-11-04 20:00:54 CET 
OpenSuSE has issued an advisory today (November 4):
http://lists.opensuse.org/opensuse-updates/2015-11/msg00035.html

The OpenSuSE bug has PoC information:
https://bugzilla.suse.com/show_bug.cgi?id=949754

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated util-linux packages fix security vulnerability:

A buffer overflow in the colcrt command in util-linux can lead to a crash
when given a large input (CVE-2015-5218).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5218
http://lists.opensuse.org/opensuse-updates/2015-11/msg00035.html
========================

Updated packages in core/updates_testing:
========================
util-linux-2.25.2-3.2.mga5
libblkid1-2.25.2-3.2.mga5
libblkid-devel-2.25.2-3.2.mga5
libuuid1-2.25.2-3.2.mga5
libuuid-devel-2.25.2-3.2.mga5
uuidd-2.25.2-3.2.mga5
python-libmount-2.25.2-3.2.mga5
libmount1-2.25.2-3.2.mga5
libmount-devel-2.25.2-3.2.mga5
libsmartcols1-2.25.2-3.2.mga5
libsmartcols-devel-2.25.2-3.2.mga5

from util-linux-2.25.2-3.2.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Len Lawrence 2015-11-04 23:26:05 CET 
Created attachment 7183 [details]
Test file for colcrt

CC: (none) => tarazed25

Comment 2 Len Lawrence 2015-11-04 23:30:09 CET 
4.1.12-desktop-1.mga5  x86_64 
Downloaded the test file from the PoC link provided.
$ colcrt  binZ8dhbQ3bFM.bin
Segmentation fault

Updated to the packages listed above, leaving out the development packages.

Ran the same command - no seg fault.
Adding the 64-bit OK.
Len Lawrence 2015-11-04 23:30:45 CET

Whiteboard: (none) => has_procedure MGA5-64-OK

Comment 3 Len Lawrence 2015-11-05 00:30:14 CET 
Switched to 32-bit architecture on a VM.
4.1.12-desktop-1.mga5

Tried the PoC as before and received a segfault.
Updated the seven packages (left out devel packages).
No segfault for the same test.

Ran it again under strace to see what was going on and it all looked above board.
The last few lines indicate a successful read on file id 3 which returned the size of the file in bytes and then a normal close.
read(3, "_\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\0\20\27\27\27\27\27\27"..., 4096) = 314
close(3)                                = 0

Good for 32-bits.
Len Lawrence 2015-11-05 00:30:44 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Dave Hodgins 2015-11-05 22:30:50 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2015-11-05 23:47:08 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0434.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED