| Summary: | glibc new security issue CVE-2017-18269 and CVE-2018-11236 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, jim, lists.jjorge, mageia, marja11, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK MGA6-32-OK | ||
| Source RPM: | glibc-2.22-28.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 22711 | ||
|
Description
David Walser
2018-06-07 22:20:39 CEST
Already fixed in Cauldron. Does not affect mga6 as the avx512 functions landed in 2.23 and we are at 2.22 Status:
NEW =>
RESOLVED Thanks. What about CVE-2017-18269 and CVE-2018-11236? http://lists.suse.com/pipermail/sle-security-updates/2018-June/004156.html (In reply to David Walser from comment #2) > Thanks. What about CVE-2017-18269 and CVE-2018-11236? > http://lists.suse.com/pipermail/sle-security-updates/2018-June/004156.html Both fixed in Cauldron, but still valid for Mga6, so reopening... Resolution:
INVALID =>
(none)
Marja Van Waes
2018-06-08 22:40:44 CEST
CC:
(none) =>
marja11 openSUSE has issued an advisory for this today (June 8): https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00010.html CVE-2017-18269 and CVE-2018-11236 fixed in: SRPMS: glibc-2.22-29.mga6.src.rpm i586: glibc-2.22-29.mga6.i586.rpm glibc-devel-2.22-29.mga6.i586.rpm glibc-doc-2.22-29.mga6.noarch.rpm glibc-i18ndata-2.22-29.mga6.i586.rpm glibc-profile-2.22-29.mga6.i586.rpm glibc-static-devel-2.22-29.mga6.i586.rpm glibc-utils-2.22-29.mga6.i586.rpm nscd-2.22-29.mga6.i586.rpm x86_64: glibc-2.22-29.mga6.x86_64.rpm glibc-devel-2.22-29.mga6.x86_64.rpm glibc-doc-2.22-29.mga6.noarch.rpm glibc-i18ndata-2.22-29.mga6.x86_64.rpm glibc-profile-2.22-29.mga6.x86_64.rpm glibc-static-devel-2.22-29.mga6.x86_64.rpm glibc-utils-2.22-29.mga6.x86_64.rpm nscd-2.22-29.mga6.x86_64.rpm Assignee:
tmb =>
qa-bugs Mageia 6, x86_64
The upstream links seem to indicate that one of the vulnerabilities affects 32-bit systems only. No definite PoCs for the other two issues but there is a test program for one of them which upstream testers found rarely demonstrated the fault.
Updated all the packages and rebooted.
Compiled the memorex.c program from the man page for memusage.
$ ./memorex
malloc: 400
realloc: 440
[....]
realloc: 240
realloc: 440
I do not remember where this snippet came from but compiled it anyway.
--------------------------------
// test-posix-memalign.c
// gcc -o test-posix-memalign test-posix-memalign.c
#include <stdlib.h>
#include <stdint.h>
int main( int argc, char **argv )
{
void *p;
return posix_memalign( &p, 0x10, SIZE_MAX - 0x20 );
}
--------------------------------
$ mtrace ./test-posix-memalign
No memory leaks.
Tried a local build.
Celestia sources already installed in a local directory.
$ cd celestia
$ ls
BUILD/ BUILDROOT/ RPMS/ SOURCES/ SPECS/ SRPMS/
$ bm -l
Successful rebuild of celestia packages with a lot of references to glibc.
$ ll RPMS/x86_64
total 37924
-rw-r--r-- 1 lcl lcl 34121386 Jun 18 08:59 celestia-1.6.1-18.mga6.x86_64.rpm
-rw-r--r-- 1 lcl lcl 4707726 Jun 18 08:59 celestia-debuginfo-1.6.1-18.mga6.x86_64.rpm
Name Service Caching Demon:
$ sudo nscd -g
produced an extensive summary of the nscd configuration and several cache tables.
It all looks fine. This is one of those packages which should definitely be tested on 32-bit architectures particularly as one of the vulnerabilities manifests itself in operations which cross the 32-bit word-size boundary, such as block moves greater in size than a 31-bit number. More tests for 64-bits would be good also.CC:
(none) =>
tarazed25 On real hardware, HP 6550b, 8GB, Intel graphics, Intel wifi. 64-bit Plasma system, using the desktop kernel. No specific tests done here. Installed the presented updates, then rebooted. Used it for a short time, with no regressions noted. Then I updated to the 4.14.50-1 desktop kernel, and rebooted once more. After more use, again, no regressions noted. Using it to make this report. CC:
(none) =>
andrewsfarm on mga6-32 4.14.44-server xfce
updates installed:
- glibc-2.22-29.mga6.i586
- glibc-devel-2.22-29.mga6.i586
no regressions noted
seems to be OK for mga6-32 on this system:
Machine: Device: desktop Mobo: ECS model: GeForce7050M-M v: 1.0
CPU: Quad core AMD Phenom 9500 (-MCP-)
Graphics: Card: NVIDIA GK208B [GeForce GT 710]
Display Server: Mageia X.org 119.5 drivers: nvidia,v4l
GLX Renderer: GeForce GT 710/PCIe/SSE2/3DNOW!
GLX Version: 4.6.0 NVIDIA 390.59CC:
(none) =>
jim Installed and tested without issues. Tested through two boot cycles and many applications used. No regressions noticed. System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep glibc | sort glibc-2.22-29.mga6 glibc-devel-2.22-29.mga6 CC:
(none) =>
mageia on mga6-64 4.14.44-desktop plasma packages installed cleanly: - glibc-2.22-29.mga6.x86_64 - glibc-devel-2.22-29.mga6.x86_64 - nscd-2.22-29.mga6.x86_64 no regressions noted looks OK for mga6-64 on this system: Machine: Device: desktop System: Dell product: Precision Tower 3620 CPU: Quad core Intel Core i7-6700 (-HT-MCP-) Graphics: Card: Intel HD Graphics 530 On real hardware, Athlon X2, 8GB, nvidia340 graphics, Atheros wifi, 64-bit Plasma install using the server kernel. Installed glibc and glibc-devel first, then went back and installed kernel-server 4.14.50-2, because it frequently happens that users will update in one session like this. All packages installed cleanly. Upon rebooting, tried several apps, no regressions noted. Also OK in mga6-64 and mga6-32 vbox clients on mga6-64 kernel-desktop xfce packages installed cleanly: - glibc-2.22-29.mga6.x86_64 - glibc-devel-2.22-29.mga6.x86_64 no regressions noted OK for mga6-64 on this system: Machine: Device: desktop Mobo: ECS model: GeForce7050M-M CPU: Quad core AMD Phenom 9500 (-MCP-) Graphics: Card: NVIDIA GK208B [GeForce GT 710] Mga6-32 on Pentium M740. Lots of testing done in both archs, whiteboarding. Whiteboard:
(none) =>
MGA6-64-OK MGA6-32-OK
David Walser
2018-06-24 18:00:32 CEST
Blocks:
(none) =>
22711 Copious OKs. Validating. Needs advisory Thomas. Keywords:
(none) =>
validated_update Advisory: ======================== Updated glibc packages fix security vulnerabilities: An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution (CVE-2017-18269). stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution (CVE-2018-11236). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18269 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11236 https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00010.html Thanks David. Advisoried. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0293.html Resolution:
(none) =>
FIXED |