Bug 22255

Summary: update request: glibc-2.20-26.mga5
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, smelror, sysadmin-bugs, tarazed25
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK
Source RPM: glibc CVE:
Status comment:

Description Thomas Backlund 2017-12-22 21:36:08 CET 
Same fixes as in https://advisories.mageia.org/MGASA-2017-0464.html

but for mga5:


SRPMS:
glibc-2.20-26.mga5.src.rpm
libtirpc-0.2.5-3.3.mga5.src.rpm


i586:
glibc-2.20-26.mga5.i586.rpm
glibc-devel-2.20-26.mga5.i586.rpm
glibc-doc-2.20-26.mga5.noarch.rpm
glibc-i18ndata-2.20-26.mga5.i586.rpm
glibc-profile-2.20-26.mga5.i586.rpm
glibc-static-devel-2.20-26.mga5.i586.rpm
glibc-utils-2.20-26.mga5.i586.rpm
nscd-2.20-26.mga5.i586.rpm

libtirpc-0.2.5-3.3.mga5.i586.rpm
libtirpc1-0.2.5-3.3.mga5.i586.rpm
libtirpc-devel-0.2.5-3.3.mga5.i586.rpm


x86_64:
glibc-2.20-26.mga5.x86_64.rpm
glibc-devel-2.20-26.mga5.x86_64.rpm
glibc-doc-2.20-26.mga5.noarch.rpm
glibc-i18ndata-2.20-26.mga5.x86_64.rpm
glibc-profile-2.20-26.mga5.x86_64.rpm
glibc-static-devel-2.20-26.mga5.x86_64.rpm
glibc-utils-2.20-26.mga5.x86_64.rpm
nscd-2.20-26.mga5.x86_64.rpm

lib64tirpc1-0.2.5-3.3.mga5.x86_64.rpm
lib64tirpc-devel-0.2.5-3.3.mga5.x86_64.rpm
libtirpc-0.2.5-3.3.mga5.x86_64.rpm
Comment 1 Thomas Backlund 2017-12-22 21:42:59 CET 
Advisory, added to svn:

type: security
subject: Updated glibc packages fix security vulnerabilities
CVE:
 - CVE-2017-12132
 - CVE-2017-12133
 - CVE-2017-15670
 - CVE-2017-15671
 - CVE-2017-15804
src:
  5:
   core:
     - glibc-2.20-26.mga5
     - libtirpc-0.2.5-3.3.mga5
description: |
  The DNS stub resolver in the GNU C Library (aka glibc or libc6) before
  version 2.26, when EDNS support is enabled, will solicit large UDP
  responses from name servers, potentially simplifying off-path DNS
  spoofing attacks due to IP fragmentation.(CVE-2017-12132, CVE-2017-12133).

  The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one
  error leading to a heap-based buffer overflow (CVE-2017-15670).

  The glob function in glob.c in the GNU C Library (aka glibc or libc6)
  before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated
  memory when processing the ~ operator with a long user name, potentially
  leading to a denial of service (memory leak) (CVE-2017-15671).

  The glob function in glob.c in the GNU C Library (aka glibc or libc6)
  before 2.27 contains a buffer overflow during unescaping of user names
  with the ~ operator (CVE-2017-15804).

  As libtirpc is also affected by CVE-2017-12133, it's part of this update.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=22255

Keywords: (none) => advisory

Comment 2 Stig-Ørjan Smelror 2017-12-23 13:26:10 CET 
Hi.

I have booted up both x86_64 and i586 with the new glibc release and it looks OK.

If my memory serves me correct, there was a mention on the #mageia-qa meeting that a boot "was enough" of a test for this package.

Are there more tests necessary before it can be validated?


Cheers,
Stig

CC: (none) => smelror

Comment 3 Thomas Backlund 2017-12-23 17:30:40 CET 
It needs to be tested/used on both arches...

And since it's a low-level package... preferably keep using it for atleast a day or so to flush out any latent bugs in it...
Comment 4 Len Lawrence 2017-12-23 18:27:04 CET 
Mageia 5 :: x86_64

Updated all the packages:
$ rpm -qa | grep glibc
glibc-profile-2.20-26.mga5
glibc-2.20-26.mga5
glibc-utils-2.20-26.mga5
glibc-static-devel-2.20-26.mga5
glibc-doc-2.20-26.mga5
glibc-devel-2.20-26.mga5
glibc-i18ndata-2.20-26.mga5
$ rpm -qa | grep tirpc
lib64tirpc-devel-0.2.5-3.3.mga5
lib64tirpc1-0.2.5-3.3.mga5
libtirpc-0.2.5-3.3.mga5

Rebooted to:
System:    Host: vega Kernel: 4.4.105-tmb-desktop-1.mga5 x86_64 (64 bit) 
           Desktop: N/A Distro: Mageia 5 thornicroft 
CPU:       Quad core Intel Core i7-4790K (-HT-MCP-) clocked at 4399 MHz

No problems apparent.

Rebooted to 
System:    Host: vega Kernel: 4.4.105-desktop-1.mga5 x86_64

Leaving this running.

CC: (none) => tarazed25

Comment 5 Lewis Smith 2017-12-24 12:02:55 CET 
Using M5/64 real hardware. glibc-2.20-26.mga5
4.4.105-tmb-desktop-1.mga5

No poblems after some usage.
Comment 6 Len Lawrence 2017-12-26 12:33:54 CET 
Mageia 5 for i586 in vbox
4.4.105-desktop586-1.mga5

Updated glibc and other packages.
$ rpm -qa | egrep "glibc|nscd|libtirp" | sort
glibc-2.20-26.mga5
glibc-devel-2.20-26.mga5
glibc-doc-2.20-26.mga5
glibc-i18ndata-2.20-26.mga5
glibc-profile-2.20-26.mga5
glibc-static-devel-2.20-26.mga5
glibc-utils-2.20-26.mga5
libtirpc-0.2.5-3.3.mga5
libtirpc1-0.2.5-3.3.mga5
libtirpc-devel-0.2.5-3.3.mga5
nscd-2.20-26.mga5

The desktop runs smoothly over a range of activities; browsing, editing, commandline, running videos, image viewing, word-processing, printing, NFS shares, other network activity, gkrellm, stress tests, package installation, ruby scripting, ....

Whiteboard: (none) => MGA5-32-OK

Comment 7 Thomas Backlund 2017-12-26 12:45:23 CET 
the x86_64 build has been running on the mageia infra for 24+ hours too without issues, including the heavy loaded build nodes...
Comment 8 Herman Viaene 2017-12-26 13:13:07 CET 
MGA5-32 on Dell Latitude D600
No installationissues
Tested pdf, odt and ods files, played video and showed pictures, played contents (pictures and video) from website, all OK.

CC: (none) => herman.viaene

Comment 9 Dave Hodgins 2017-12-27 12:15:59 CET 
No problems found. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2017-12-28 14:18:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0470.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED