Bug 28246

Summary: glibc new security issues CVE-2020-27618, CVE-2021-3326 and CVE-2021-27645
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, mageia, sysadmin-bugs, wrw105
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga7-32-ok mga7-64-ok
Source RPM: glibc-2.29-21.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 28273    
Bug Blocks:    

Description David Walser 2021-01-29 00:53:16 CET 
A CVE has been assigned for a bug fixed upstream in glibc:
https://www.openwall.com/lists/oss-security/2021/01/28/2

Thomas already fixed it in Cauldron:
r1673800 | tmb | 2021-01-28 04:25:42 -0500 (Thu, 28 Jan 2021) | 1 line

 gconv: Fix assertion failure in ISO-2022-JP-3 module [BZ #27256]
David Walser 2021-02-02 17:18:54 CET

Depends on: (none) => 28273

Comment 1 David Walser 2021-02-26 22:49:18 CET 
SUSE has issued an advisory for this on February 25:
https://lists.suse.com/pipermail/sle-security-updates/2021-February/008375.html
Comment 2 David Walser 2021-02-27 18:50:12 CET 
SUSE has issued an advisory on February 26:
https://lists.suse.com/pipermail/sle-security-updates/2021-February/008397.html

It fixes this, and an additional issue that Thomas already fixed in Mageia 8:

r1651569 | tmb | 2020-12-02 04:14:45 -0500 (Wed, 02 Dec 2020) | 1 line
iconv: Accept redundant shift sequences in IBM1364 [BZ #26224] (CVE-2020-27618)

Summary: glibc new security issue CVE-2021-3326 => glibc new security issues CVE-2020-27618 and CVE-2021-3326

Comment 3 David Walser 2021-02-28 15:15:01 CET 
openSUSE has issued an advisory for this on February 27:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WMNRZB427QFJOPYP4EA4KBZOTT622NY3/
Comment 4 Thomas Backlund 2021-03-11 21:21:13 CET 
glibc-2.29-22.mga7 building with:
- iconv: Accept redundant shift sequences in IBM1364 [BZ #26224] (CVE-2020-27618)
- gconv: Fix assertion failure in ISO-2022-JP-3 module [BZ #27256] (CVE-2021-3326)
- nscd: Fix double free in netgroupcache [BZ #27462] (CVE-2021-27645)

Summary: glibc new security issues CVE-2020-27618 and CVE-2021-3326 => glibc new security issues CVE-2020-27618, CVE-2021-3326 and CVE-2021-27645

Comment 5 Thomas Backlund 2021-03-11 22:17:23 CET 
SRPM:
glibc-2.29-22.mga7.src.rpm


i586:
glibc-2.29-22.mga7.i586.rpm
glibc-devel-2.29-22.mga7.i586.rpm
glibc-doc-2.29-22.mga7.noarch.rpm
glibc-i18ndata-2.29-22.mga7.i586.rpm
glibc-profile-2.29-22.mga7.i586.rpm
glibc-static-devel-2.29-22.mga7.i586.rpm
glibc-utils-2.29-22.mga7.i586.rpm
nscd-2.29-22.mga7.i586.rpm


x86_64:
glibc-2.29-22.mga7.x86_64.rpm
glibc-devel-2.29-22.mga7.x86_64.rpm
glibc-doc-2.29-22.mga7.noarch.rpm
glibc-i18ndata-2.29-22.mga7.x86_64.rpm
glibc-profile-2.29-22.mga7.x86_64.rpm
glibc-static-devel-2.29-22.mga7.x86_64.rpm
glibc-utils-2.29-22.mga7.x86_64.rpm
nscd-2.29-22.mga7.x86_64.rpm

Assignee: tmb => qa-bugs

Comment 6 Brian Rockwell 2021-03-16 18:18:02 CET 
The following 2 packages are going to be installed:

- glibc-2.29-22.mga7.x86_64
- glibc-devel-2.29-22.mga7.x86_64


I also installed this on my ancient server 32bit instance

Both are working as they should after the updates.

CC: (none) => brtians1

Comment 7 PC LX 2021-03-16 20:20:35 CET 
Installed and tested without issues.

This update has been in use for two days on this workstation. Lots of applications run (some proprietary) without any regressions noticed.

System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. 


This update was also tested on a QEMU/KVM VM with Mageia 7. No issues noticed.

Guest system: Mageia 7, x86_64, LXQt DE, virtio drivers.


$ uname -a
Linux marte 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep glibc
glibc-devel-2.29-22.mga7
glibc-2.29-22.mga7

CC: (none) => mageia

Comment 8 Thomas Backlund 2021-03-16 22:14:26 CET 
Advisory, added to svn:

type: security
subject: Updated glibc packages fixes security vulnerabilities
CVE:
 - CVE-2020-27618
 - CVE-2021-3326
 - CVE-2021-27645
src:
  7:
   core:
     - glibc-2.29-22.mga7
description: |
  Updated glibc packages fix a security vulnerabilities:

  The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and
  earlier, when processing invalid multi-byte input sequences in IBM1364,
  IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the
  input state, which could lead to an infinite loop in applications,
  resulting in a denial of service (CVE-2020-27618).

  The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and
  earlier, when processing invalid input sequences in the ISO-2022-JP-3
  encoding, fails an assertion in the code path and aborts the program,
  potentially resulting in a denial of service (CVE-2021-3326).

  The nameserver caching daemon (nscd), when processing a request for netgroup
  lookup, may crash due to a double-free, potentially resulting in degraded
  service or Denial of Service on the local system (CVE-2021-27645).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28246

Keywords: (none) => advisory

Comment 9 Bill Wilkinson 2021-03-19 20:12:51 CET 
Tested mga7-32 under virtual box.
System booted normally worked fine for about an hour

CC: (none) => wrw105
Whiteboard: (none) => mga7-32-ok

Comment 10 Bill Wilkinson 2021-03-19 23:49:04 CET 
Tested mga7-64 on hardware
System booted fine and worked normally.

Whiteboard: mga7-32-ok => mga7-32-ok mga7-64-ok

Comment 11 Thomas Andrews 2021-03-20 01:13:54 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 12 Mageia Robot 2021-03-21 11:45:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0150.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED