Bug 21582

Summary: glibc new security issue CVE-2017-12132 and CVE-2017-1567[01]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: glibc-2.22-25.mga6.src.rpm CVE:
Status comment:
Bug Depends on: 21663    
Bug Blocks:    

Description David Walser 2017-08-20 23:20:44 CEST 
Fedora has issued an advisory today (August 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZSNHXXCHORHUAQRWKA55MLDULQGRD7QD/

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-20 23:20:52 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

David Walser 2017-09-05 02:54:41 CEST

QA Contact: (none) => security
Component: RPM Packages => Security

David Walser 2017-09-05 02:59:09 CEST

Depends on: (none) => 21663

Comment 1 David Walser 2017-10-22 17:31:06 CEST 
Two more security issues have been announced on October 21:
http://openwall.com/lists/oss-security/2017/10/21/5

Summary: glibc new security issue CVE-2017-12132 => glibc new security issue CVE-2017-12132 and CVE-2017-1567[01]

Comment 2 Thomas Backlund 2017-10-22 23:18:58 CEST 
Yep, saw them on glibc devel ml today...
will fix them up in a day or so
Comment 3 David Walser 2017-10-26 17:59:19 CEST 
(In reply to David Walser from comment #1)
> Two more security issues have been announced on October 21:
> http://openwall.com/lists/oss-security/2017/10/21/5

Fedora has issued an advisory for this on October 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QGYTYJ24DSU5PZANSP74WZLR7KWQPZMG/
Comment 4 Thomas Backlund 2017-12-16 11:36:27 CET 
Cauldron is fixed, mga5 will probably not be fixed as its close to EOL... so it wont block this update... if I re-consider it will be done as a separate bugreport 

Fixing CVE-2017-1213[23], CVE-2017-1567[01], CVE-2017-15804, all in one go..

libtirpc is affected by  CVE-2017-12133, so its part of this update

SRPMS:
glibc-2.22-26.mga6.src.rpm
libtirpc-1.0.1-5.1.mga6.src.rpm


i586:
glibc-2.22-26.mga6.i586.rpm
glibc-devel-2.22-26.mga6.i586.rpm
glibc-doc-2.22-26.mga6.noarch.rpm
glibc-i18ndata-2.22-26.mga6.i586.rpm
glibc-profile-2.22-26.mga6.i586.rpm
glibc-static-devel-2.22-26.mga6.i586.rpm
glibc-utils-2.22-26.mga6.i586.rpm
nscd-2.22-26.mga6.i586.rpm

libtirpc-1.0.1-5.1.mga6.i586.rpm
libtirpc3-1.0.1-5.1.mga6.i586.rpm
libtirpc-devel-1.0.1-5.1.mga6.i586.rpm



x86_64:
glibc-2.22-26.mga6.x86_64.rpm
glibc-devel-2.22-26.mga6.x86_64.rpm
glibc-doc-2.22-26.mga6.noarch.rpm
glibc-i18ndata-2.22-26.mga6.x86_64.rpm
glibc-profile-2.22-26.mga6.x86_64.rpm
glibc-static-devel-2.22-26.mga6.x86_64.rpm
glibc-utils-2.22-26.mga6.x86_64.rpm
nscd-2.22-26.mga6.x86_64.rpm

lib64tirpc3-1.0.1-5.1.mga6.x86_64.rpm
lib64tirpc-devel-1.0.1-5.1.mga6.x86_64.rpm
libtirpc-1.0.1-5.1.mga6.x86_64.rpm

Whiteboard: MGA6TOO, MGA5TOO => (none)
Version: Cauldron => 6

Comment 5 David Walser 2017-12-16 18:31:52 CET 
*** Bug 21663 has been marked as a duplicate of this bug. ***
Comment 6 David Walser 2017-12-16 18:35:00 CET 
I would really like to see important ones like these fixed for Mageia 5.  It wasn't close to the EOL when I reported them, we just haven't had time to get around to fixing things this year.  This isn't some obscure packages.
Comment 7 Thomas Backlund 2017-12-16 20:57:09 CET 
Yeah, it only depend on how much work it is to backport the fixes to mga5, because I dont want to introduce a regression in a distro about to hit eol either... so we''ll see, but I will still keep it separate from this bug so mga6 can be validated asap too
Comment 8 Thomas Backlund 2017-12-21 16:53:25 CET 
Seems I forgot to assign this to QA

Assignee: tmb => qa-bugs

Comment 9 Thomas Backlund 2017-12-21 16:57:33 CET 
*** Bug 22242 has been marked as a duplicate of this bug. ***
Comment 10 Thomas Backlund 2017-12-21 21:47:50 CET 
x86_64 builds running here on several systems since 2017-12-16

CC: (none) => tmb

Comment 11 Dave Hodgins 2017-12-22 08:41:39 CET 
Tested while testing the kernel updates.

Validating the update

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Thomas Backlund 2017-12-22 10:35:53 CET 
Please dont blindly copy fedora advisories... I already stated on last night QA meeting that I would fix up the missing advisories for my packages...

I've fixed up the advisory with stuff that actually affects our update


  The DNS stub resolver in the GNU C Library (aka glibc or libc6) before
  version 2.26, when EDNS support is enabled, will solicit large UDP
  responses from name servers, potentially simplifying off-path DNS
  spoofing attacks due to IP fragmentation.(CVE-2017-12132, CVE-2017-12133).

  The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one
  error leading to a heap-based buffer overflow (CVE-2017-15670).

  The glob function in glob.c in the GNU C Library (aka glibc or libc6)
  before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated
  memory when processing the ~ operator with a long user name, potentially
  leading to a denial of service (memory leak) (CVE-2017-15671).

  The glob function in glob.c in the GNU C Library (aka glibc or libc6)
  before 2.27 contains a buffer overflow during unescaping of user names
  with the ~ operator (CVE-2017-15804).

  As libtirpc is also affected by CVE-2017-12133, it's part of this update.
Comment 13 Mageia Robot 2017-12-22 11:31:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0464.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 14 Mageia Robot 2017-12-24 15:34:59 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0464.html