Bug 18651

Summary: glibc, libtirpc new security issue CVE-2016-4429
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/690146/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: glibc-2.22-19.mga6.src.rpm, libtirpc CVE:
Status comment:

Description David Walser 2016-06-07 18:55:33 CEST 
Fedora has issued an advisory on June 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZSLYZOW4ASQ5GSHLIUW7HXHFCBZ2ADUQ/

Mageia 5 is also affected.

libtirpc hasn't been fixed yet in Fedora, and the vulnerable code appears to be there in the get_reply: section of clnt_dg_call() in src/clnt_dg.c

Fedora added this patch in glibc:
http://pkgs.fedoraproject.org/cgit/rpms/glibc.git/plain/glibc-rh1337140.patch?h=f23&id=2d5168f40a40a16c331909945969a6baaf715b9c

They also added two bugfix patches in the same update.
David Walser 2016-06-07 18:55:40 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Thomas Backlund 2016-06-07 21:43:50 CEST 
glibc already fixed in cauldron since:

Name        : glibc                        Relocations: (not relocatable)
Version     : 2.22                              Vendor: Mageia.Org
Release     : 18.mga6                       Build Date: Mon 30 May 2016 03:24:53 PM CEST

tmb <tmb> 6:2.22-18.mga6:
+ Revision: 1019403
- CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ#20112]

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 David Walser 2016-06-07 21:49:47 CEST 
Thanks.  Marking Cauldron for now as libtirpc has not yet been fixed.

Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO

Comment 3 David Walser 2016-07-22 18:19:54 CEST 
libtirpc-1.0.1-4.mga6 uploaded for Cauldron with the fix.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2016-07-26 14:50:40 CEST 
Updated packages built this morning:
glibc-2.20-23.mga5
glibc-devel-2.20-23.mga5
glibc-static-devel-2.20-23.mga5
glibc-profile-2.20-23.mga5
nscd-2.20-23.mga5
glibc-utils-2.20-23.mga5
glibc-i18ndata-2.20-23.mga5
glibc-doc-2.20-23.mga5
libtirpc-0.2.5-3.1.mga5
libtirpc1-0.2.5-3.1.mga5
libtirpc-devel-0.2.5-3.1.mga5

from SRPMS:
glibc-2.20-23.mga5.src.rpm
libtirpc-0.2.5-3.1.mga5.src.rpm
Comment 5 Thomas Backlund 2016-07-26 21:22:02 CEST 
Assigning to QA, rpm list in comment 4

I have this glibc update already running on mageia infra and on several of my own live servers (x86_64 arch)

Will try to write advisory tomorrow

Assignee: tmb => qa-bugs

Comment 6 David Walser 2016-07-28 16:32:58 CEST 
Running these packages fine with no issues on multiple Mageia 5 systems, both architectures.

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

Comment 7 David Walser 2016-07-30 10:56:52 CEST 
Validating so this can ship with the kernel update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2016-07-31 22:29:25 CEST 
advisory added to svn

CC: (none) => tmb
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 9 Mageia Robot 2016-07-31 22:39:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0270.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED