Bug 19844

Summary: gc new security issue CVE-2016-9427
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, marja11, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/707357/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Source RPM: gc-7.4.2-7.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-11-25 19:53:13 CET 
Debian-LTS has issued an advisory today (November 25):
https://lwn.net/Alerts/707332/

Information about the fixes in the Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844771

Mageia 5 is also affected.
David Walser 2016-11-25 19:53:25 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-25 20:32:01 CET 
Assigning to the registered maintainer of gc

CC: (none) => marja11
Assignee: bugsquad => luis.daniel.lucio

Comment 2 David Walser 2017-06-04 20:38:17 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated gc packages fix security vulnerability:

Kuang-che Wu discovered that multiple integer overflow vulnerabilities existed
in libgc. An attacker could use these to cause a denial of service (application
crash) or possibly execute arbitrary code (CVE-2016-9427).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9427
https://www.ubuntu.com/usn/usn-3197-1/
========================

Updated packages in core/updates_testing:
========================
libgc1-7.4.2-3.1.mga5
libgc-devel-7.4.2-3.1.mga5

from gc-7.4.2-3.1.mga5.src.rpm

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5
Assignee: luis.daniel.lucio => qa-bugs

Comment 3 Len Lawrence 2017-06-05 11:42:26 CEST 
Testing on x86_64, Mate, real hardware.

It looks like libgc is a garbage collector used as a replacement for malloc in C and C++.
The CVE link leads to http://www.openwall.com/lists/oss-security/2016/11/18/3 which lists many issues affecting w3m which is a text-based web browser, CVE-2016-9427 amongst them.   w3m is a text-based web browser supported by Mageia but there do not appear to be any other applications which require this library.

Installed w3m and tried it out:
$ w3m http://exoplanet.eu

That brought up the pager OK.  Q to exit.
Running under strace is not very satisfactory as all the text output goes to the trace file.  At least it shows that libgc is being used.

$ cat w3m.trace | grep gc
open("/usr/lib64/libgc.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "/lib64/libgc.so.1.0.3\n7fe0ba6060"..., 1024) = 1024
getcwd("/home/lcl/qa/libgc", 4096)      = 19

Installed the two update packages and ran w3m again.  The navigation commands worked and it was possible to follow hyperlinks.
Another site: https://apod.nasa.gov/apod/astropix.html displayed an image in the terminal including colours and pressing return while the cursor was on the image brought up gqview (my default image viewer) with the same image.

Passing this for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2017-06-05 11:42:43 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 4 Dave Hodgins 2017-06-07 04:58:52 CEST 
Similar testing on i586. Advisory committed to svn. Validating the update.

CC: (none) => davidwhodgins
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Dave Hodgins 2017-06-07 04:59:33 CEST

Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-06-08 23:40:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0157.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED