Bug 17394

Summary: glibc new security issues fixed upstream in 2.23 and more
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: doktor5000, eeeemail, geiger.david68210, mageia, sysadmin-bugs, westel
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/669159/
Whiteboard: has_procedure advisory mga5-32-ok mga5-64-ok
Source RPM: glibc-2.20-20.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-24 17:35:19 CET 
OpenSuSE has issued an advisory today (December 24):
http://lists.opensuse.org/opensuse-updates/2015-12/msg00106.html

Thomas already included the patch for this in Cauldron.

All details are on the SuSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=950944

This is a minor issue, so you could queue the fix for this for a future update.

Reproducible: 

Steps to Reproduce:
David Walser 2015-12-24 19:44:06 CET

URL: (none) => http://lwn.net/Vulnerabilities/669159/

Comment 1 David Walser 2016-01-19 19:46:11 CET 
glibc 2.23 fixes this issue and four others.  CVE request:
http://openwall.com/lists/oss-security/2016/01/19/11
Comment 2 David Walser 2016-01-20 17:53:03 CET 
CVE assignments have been made here:
http://openwall.com/lists/oss-security/2016/01/20/1

There seems to be a difference of opinion as to what constitutes a security vulnerability in glibc.  Interesting.  Anyway, it sounds like probably none of these are serious.

CVE assignments are:
BZ #18985 - CVE-2015-8776
BZ #18928 - CVE-2015-8777
BZ #18240 - CVE-2015-8778
BZ #16962 - CVE-2014-9761
BZ #17905 - CVE-2015-8779

Summary: glibc new security issue fixed upstream in 2.23 [BZ #18928] => glibc new security issues fixed upstream in 2.23

Comment 3 David Walser 2016-02-09 18:31:26 CET 
LWN reference for some of the new CVEs:
http://lwn.net/Vulnerabilities/674835/

Debian-LTS has issued an advisory for this on February 5:
http://lwn.net/Alerts/674800/
Comment 4 David Walser 2016-02-16 17:15:17 CET 
RedHat has issued an advisory today (February 16):
https://rhn.redhat.com/errata/RHSA-2016-0176.html

CVE-2015-7547 is critical and likely affects us.  CVE-2015-5229 is low severity and may not affect us, I'm not sure.

Summary: glibc new security issues fixed upstream in 2.23 => glibc new security issues fixed upstream in 2.23 and more
Severity: normal => critical

Comment 5 David Walser 2016-02-16 17:23:09 CET 
Debian has issued an advisory for some of these CVEs today (February 16):
https://lists.debian.org/debian-security-announce/2016/msg00051.html
https://www.debian.org/security/2016/dsa-3481
Comment 6 David Walser 2016-02-16 20:23:03 CET 
LWN reference for CVE-2015-7547:
http://lwn.net/Vulnerabilities/675830/
Comment 7 David Walser 2016-02-16 20:37:25 CET 
From the Google blog post, PoC for CVE-2015-7547:
https://github.com/fjserna/CVE-2015-7547
Comment 8 David Walser 2016-02-17 16:40:19 CET 
OpenSuSE has issued an advisory for several CVEs today (February 17):
http://lists.opensuse.org/opensuse-updates/2016-02/msg00103.html
Comment 9 David Walser 2016-02-17 20:45:22 CET 
LWN reference for CVE-2015-5229:
http://lwn.net/Vulnerabilities/676082/
claire robinson 2016-02-18 12:09:46 CET

CC: (none) => eeeemail

Comment 10 Nicolas Lécureuil 2016-02-18 16:50:27 CET 
what about this one ?  is someone working on it ?

CC: (none) => mageia

Comment 11 Florian Hubold 2016-02-18 20:53:25 CET 
(In reply to Nicolas Lécureuil from comment #10)
> what about this one ?  is someone working on it ?

Seems it has been fixed for Cauldron already via http://svnweb.mageia.org/packages?view=revision&revision=966898

And well, nobody changed the bug into ASSIGNED state, so probably noone working on it for mga5, I'd guess. But we should really get a fix out at the very least for CVE-2015-7547 urgently. Although it's probably not a good idea to hastily update to 2.23 IMHO.

Upstream fix from 2.21 branch doesn't apply cleanly:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=16d0a0ce7613552301786bf05d7eba8784b5732c
But FWIW, seems someone already rediffed the upstream patch for glibc 2.20:
https://gist.github.com/sstiller/d277b77a3b60805f9d7b

CC: (none) => doktor5000

Comment 12 Thomas Backlund 2016-02-18 20:55:30 CET 
Work is in progress

Status: NEW => ASSIGNED

Comment 13 Thomas Backlund 2016-02-19 06:57:14 CET 
CVE-2015-5229 is RH feature backport specific, so not for us


Advisory:
Updated glibc fixes the following security issues:

A stack overflow (unbounded alloca) could have caused applications which
process long strings with the nan function to crash or, potentially,
execute arbitrary code (CVE-2014-9761).

A stack-based buffer overflow in getaddrinfo allowed remote attackers
to cause a crash or execute arbitrary code via crafted and timed DNS
responses (CVE-2015-7547).

Out-of-range time values passed to the strftime function may cause it
to crash, leading to a denial of service, or potentially disclosure
information (CVE-2015-8776).

Insufficient checking of LD_POINTER_GUARD environment variable allowed
local attackers to bypass the pointer guarding protection of the dynamic
loader on set-user-ID and set-group-ID programs (CVE-2015-8777).

Integer overflow in hcreate and hcreate_r could have caused an out-of-bound
memory access. leading to application crashes or, potentially, arbitrary 
code execution (CVE-2015-8778).

A stack overflow (unbounded alloca) in the catopen function could have
caused applications which pass long strings to the catopen function to
crash or, potentially execute arbitrary code (CVE-2015-8779).



SRPM:
glibc-2.20-21.mga5.src.rpm

i586:
glibc-2.20-21.mga5.i586.rpm
glibc-devel-2.20-21.mga5.i586.rpm
glibc-doc-2.20-21.mga5.noarch.rpm
glibc-i18ndata-2.20-21.mga5.i586.rpm
glibc-profile-2.20-21.mga5.i586.rpm
glibc-static-devel-2.20-21.mga5.i586.rpm
glibc-utils-2.20-21.mga5.i586.rpm
nscd-2.20-21.mga5.i586.rpm

x86_64:
glibc-2.20-21.mga5.x86_64.rpm
glibc-devel-2.20-21.mga5.x86_64.rpm
glibc-doc-2.20-21.mga5.noarch.rpm
glibc-i18ndata-2.20-21.mga5.x86_64.rpm
glibc-profile-2.20-21.mga5.x86_64.rpm
glibc-static-devel-2.20-21.mga5.x86_64.rpm
glibc-utils-2.20-21.mga5.x86_64.rpm
nscd-2.20-21.mga5.x86_64.rpm

Hardware: i586 => All
Assignee: tmb => qa-bugs

Comment 14 Ben McMonagle 2016-02-19 08:26:44 CET 
updated system to latest, 
then installed: 

glibc-2.20-21.mga5.i586.rpm
nscd-2.20-21.mga5.i586.rpm

rebooted, no issues noted

CC: (none) => westel

Comment 15 claire robinson 2016-02-19 09:06:04 CET 
Tested mga5 64

Installed updates, rebooted. Checked the interwebs.

Confirmed patches applied, line 330 - 343 & 577-584.
http://svnweb.mageia.org/packages/updates/5/glibc/current/SPECS/glibc.spec?view=markup&pathrev=967476

Validating. Will upload advisory shortly.

Whiteboard: (none) => has_procedure mga5-32-ok mga5-64-ok

Comment 16 David GEIGER 2016-02-19 09:09:52 CET 
Tested mga5_64,

Testing complete for new glibc-2.20-21.mga5, all seems to work properly here too.

CC: (none) => geiger.david68210

Comment 17 claire robinson 2016-02-19 09:12:55 CET 
Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure advisory mga5-32-ok mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2016-02-19 09:41:14 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0079.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 19 claire robinson 2016-02-19 09:59:38 CET 
Just to have this on record - 3 hours from building to testing and release.

Thanks everybody for availing your time to this priority update.