Bug 21140

Summary: GNU libffcall update to 1.13
Product: Mageia Reporter: Bruno Haible <bruno>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: minor    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, mageia, marja11, pkg-bugs, pterjan, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK advisory MGA-64-OK
Source RPM: ffcall-1.12-3.mga6, ffcall-1.10-12.mga5 CVE:
Status comment:

Description Bruno Haible 2017-06-24 14:23:27 CEST 
GNU libffcall 1.13 is released. You find the download link at the homepage
https://www.gnu.org/software/libffcall/

New in 1.13:

* The license has been changed from GPLv2 to GPLv2+.

* Added support for the following platforms:
  (Previously, a build on these platforms failed.)
  - x86_64: Mac OS X 64-bit.
  - x86_64: Solaris 64-bit.
  - x86_64: Linux with x32 ABI: CC="gcc -mx32".
  - arm: Linux 32-bit, without hardware floats.
  - arm64: Linux 64-bit.
  - s390x: Linux 64-bit.
  - powerpc: AIX 64-bit.
  - mips: IRIX 6.5 with CC="cc -32".
  - sparc: Solaris 64-bit.

* Fixed support for the following platforms:
  (Previously, a build on these platforms appeared to succeed but was buggy.)
  - x86_64: Linux.
  - arm: Linux 32-bit, with hardware floats.
  - powerpc: Linux 64-bit.
  - mips: Linux with CC="gcc -mabi=32".
  - mips: Linux with CC="gcc -mabi=n32".
  - mips: Linux with CC="gcc -mabi=64".
  - mips: IRIX 6.5 with CC="gcc -mabi=n32".
  - s390: Linux.
  - sparc: Linux 64-bit.
  - ia64: Linux.
  - hppa: HP-UX 32-bit.

* Verified support for the following platforms:
  (A build on these platforms worked and still works.)
  - i386: Linux, Solaris, Mac OS X.
  - powerpc: Linux 32-bit.
  - powerpc: AIX 32-bit.
  - powerpc: MacOS X.
  - mips: IRIX 6.5 with CC="cc -n32".
  - sparc: Solaris 32-bit.
  - sparc: Linux 32-bit: CC="gcc -m32".
  - alpha: Linux.

* Support for a security feature: On Linux and FreeBSD platforms, linking with
  the libffcall libraries no longer causes the stack to become executable.


The libffcall currently packaged in Mageia https://madb.mageia.org/package/show/application/0/name/libffcall0 is very old.

I invite you to upgrade to version 1.13.

NOTE! Libffcall is usually packaged as a non-shared library. If so, you need
to rebuild the packages that depend on it (in particular, GNU clisp).
Comment 1 David Walser 2017-06-24 20:58:11 CEST 
The executable stack bit sounds like it might be related to Stack Clash and the recent related fix in libffi.  Thanks for the report.

QA Contact: (none) => security
CC: (none) => geiger.david68210, pterjan
Component: RPM Packages => Security

Comment 2 Marja Van Waes 2017-06-24 22:09:55 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs
Whiteboard: (none) => MGA5TOO
Source RPM: https://madb.mageia.org/rpm/show/application/0/name/libffcall0-1.10-12.mga5.i586.rpm/source/0/release/5/arch/i586/t_media/3 => ffcall-1.12-3.mga6, ffcall-1.10-12.mga5

Nicolas Lécureuil 2017-06-25 18:15:29 CEST

QA Contact: security => (none)
CC: (none) => mageia
Component: Security => New RPM package request

Comment 3 David Walser 2017-06-25 19:40:27 CEST 
Nicolas, this isn't a new package request.  We already have this package.  It's a request for us to update it.

Component: New RPM package request => Security
QA Contact: (none) => security

Dave Hodgins 2017-06-27 20:28:09 CEST

Summary: Please package GNU libffcall 1.13 => GNU libffcall update to 1.13
CC: (none) => davidwhodgins

Comment 4 Rémi Verschelde 2017-06-30 12:45:09 CEST 
I'll see what I can do for this update.

CC: (none) => pkg-bugs
Assignee: pkg-bugs => rverschelde

Comment 5 Rémi Verschelde 2017-06-30 23:53:34 CEST 
Fixed with ffcall-1.13-1.mga6, and upcoming rebuild of clisp.

I've noticed that it can now build as a shared library, but since its only consumer is clisp and I have no clue about that package (which didn't build due to a hasty but broken sync with Fedora, but I've managed to fix that), I prefer not too mess with it too much at this stage.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 Rémi Verschelde 2017-06-30 23:54:00 CEST 
Forgot that Mageia 5 still needs a fix :o)

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Rémi Verschelde 2017-06-30 23:54:06 CEST

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 7 Rémi Verschelde 2017-07-01 00:07:34 CEST 
Advisory:
=========

Updated ffcall and clisp packages fix security vulnerability

  In libffcall before version 1.13, linking with the libffcall libraries could
  cause the stack to become executable. This is now fixed.

  clisp is rebuilt to pick the fixed libffcall static library.

References:
 - https://lists.gnu.org/archive/html/libffcall/2017-06/msg00002.html


RPMs in core/updates_testing:
=============================

lib(64)ffcall-devel-1.13-1.mga5
clisp-2.49-11.1.mga5
clisp-devel-2.49-11.1.mga5

SRPMs in core/updates_testing:
==============================

ffcall-1.13-1.mga5
clisp-2.49-11.1.mga5

Assignee: rverschelde => qa-bugs

Comment 8 Bruno Haible 2017-07-01 01:54:20 CEST 
(In reply to Rémi Verschelde from comment #5)
> I've noticed that it can now build as a shared library, but since its only
> consumer is clisp and I have no clue about that package ..., I
> prefer not too mess with it too much at this stage.

I agree. Building libffcall 1.13 as a shared library still has two problems:
1) It does not work on sparc and sparc64 platforms.
2) There is no proper library versioning (.so major/minor management) in place.

These issues are on the TODO list for a future release.
Comment 9 Herman Viaene 2017-07-03 13:53:47 CEST 
MGA5-32 on Asus A6000VM Xfce
Installation: package libffcall0 also to be included in list of Comment 7 I presume.
I can start clisp, call help, make addition (+ 2 2), and quit.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 10 Dave Hodgins 2017-07-06 20:43:05 CEST 
Tested on Mageia 5 x86_64, running clisp.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory MGA-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2017-07-07 11:26:37 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0202.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED