Bug 21122

Summary: libffi new security issue CVE-2017-1000376
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, marja11, rverschelde, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: libffi-3.1-4.mga5 CVE:
Status comment:

Description David Walser 2017-06-21 12:19:15 CEST 
Debian has issued an advisory on June 19:
https://www.debian.org/security/2017/dsa-3889

This is related to the "stack clash" issue.

Mageia 5 is also affected.
David Walser 2017-06-21 12:19:31 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-06-21 13:11:34 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-06-24 18:39:26 CEST 
This one looks a bit less than straightforward.

For this update, Debian added a patch that also required the addition of the --enable-pax_emutramp configure argument.  They later updated the patch that made that configure argument a no-op unless it's changed to --enable-pax_emutramp=experimental, which they did not change, so it appears that they reverted the fix basically.  Also, it sounds like the fix only has an impact on grsecurity-hardened kernels (or possibly when using SELinux), so it may not have general applicability to us anyway.

I think Thomas or someone that understands this better will need to evaluate this one.
Comment 3 Rémi Verschelde 2017-07-01 13:35:03 CEST 
Mageia 6 is not affected, as libffi 3.2.1 already contains the fix: https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d
(the fix is not included for aarch64, but we don't support this arch)

For Mageia 5, we can sync with Fedora which also had version 3.1: http://pkgs.fedoraproject.org/cgit/rpms/libffi.git/log/

Version: Cauldron => 5
Assignee: pkg-bugs => rverschelde
Whiteboard: MGA5TOO => (none)

Comment 4 Rémi Verschelde 2017-07-01 13:42:58 CEST 
Advisory:
=========

Updated libffi packages fix security vulnerability

  libffi, a library used to call code written in one language from code written
  in a different language, was enforcing an executable stack on the i386 
  architecture. While this might not be considered a vulnerability by itself,
  this could be leveraged when exploiting other vulnerabilities, like for
  example the "stack clash" class of vulnerabilities discovered by Qualys
  Research Labs.

References:
 - https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
 - https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d


RPMs in core/updates_testing:
=============================

lib(64)ffi6-3.1-4.1.mga5
lib(64)ffi-devel-3.1-4.1.mga5


SRPM in core/updates_testing:
=============================

libffi-3.1-4.1.mga5

Assignee: rverschelde => qa-bugs
Source RPM: libffi-3.2.1-5.mga6.src.rpm => libffi-3.1-4.mga5

Comment 5 David Walser 2017-07-01 16:27:09 CEST 
(In reply to Rémi Verschelde from comment #3)
> Mageia 6 is not affected, as libffi 3.2.1 already contains the fix:
> https://github.com/libffi/libffi/commit/
> 978c9540154d320525488db1b7049277122f736d
> (the fix is not included for aarch64, but we don't support this arch)

No, Debian did additional work on top of 3.2.1 for this.  See their advisory, changelog in sid, and:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751907

CC: (none) => rverschelde

Comment 6 Herman Viaene 2017-07-03 11:40:51 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
At CLI:
# urpmq --whatrequires libffi6
firefox
firefox
firefox
and a lot of packages pointing to programming.
Took a gamble on running firefox and opening Extra - Webdesigner - Inspector and strace showed indeed:
open("/lib/libffi.so.6", O_RDONLY|O_CLOEXEC) = 4
so OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 7 Len Lawrence 2017-07-05 20:25:53 CEST 
As Herman indicates in comment 6, this is essentially a programmer's library.
'urpmq -whatrequires lib64ffi6 | sort | uniq' indicates that ruby has an ffi implementation, so:
$ sudo urpmi ruby-devel
$ sudo urpmi ruby-ffi
$ sudo gem install ffi
Found a snippet of ruby code on the web which shows how ruby can run functions from a foreign library.  The example is pointless in fact but does use the libffi6 library to hitch-hike on the libc library.  There are more realistic examples at https://github.com/ffi/ffi/wiki/Examples
---------------------------------------------------------------  
#!/bin/env ruby
# https://github.com/ffi/ffi
# ffi.rb

require 'ffi'

module MyLib
  extend FFI::Library
  ffi_lib 'c'
  attach_function :puts, [ :string ], :int
end

MyLib.puts 'Hello, World using libc!'
--------------------------------------------------------------

$ strace ruby ffi.rb >& ffi.trace
$ cat ffi.trace | grep libffi
open("/usr/lib64/libffi.so.6", O_RDONLY|O_CLOEXEC) = 7

The stack/clash vulnerability issue is too large a subject for generalized PoC testing I would imagine.  None found anyway.

After installing the updates the noddy ruby script still worked.
$ ./ffi.rb
Hello, World using libc!

Good for 64-bit systems.

CC: (none) => tarazed25

Len Lawrence 2017-07-05 20:26:16 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Dave Hodgins 2017-07-06 20:30:06 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2017-07-07 11:24:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0201.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED