Bug 28942

Summary: glibc new security issue CVE-2016-10228
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: glibc-2.29-22.mga7.src.rpm CVE: CVE-2016-10228
Status comment:

Description David Walser 2021-05-18 23:39:29 CEST 
RedHat has issued an advisory today (May 18):
https://access.redhat.com/errata/RHSA-2021:1585
Comment 1 Thomas Backlund 2021-05-31 12:05:08 CEST 
Mga7 is EOL.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 2 Frédéric "LpSolit" Buclin 2021-05-31 18:47:55 CEST 
(In reply to Thomas Backlund from comment #1)
> Mga7 is EOL.

Per https://ml.mageia.org/l/arc/council/2021-05/msg00019.html, Mageia 7 is not yet EOL.
David Walser 2021-05-31 19:33:16 CEST

Status: RESOLVED => REOPENED
Resolution: WONTFIX => (none)

Comment 3 David Walser 2021-06-22 00:48:53 CEST 
Advisory:
========================

Updated glibc packages fix security vulnerability:

A vulnerability was found in the iconv program provided by glibc when it's
invoked with the -c option. It can enter an infinite loop while parsing an
invalid multi-byte sequence (CVE-2016-10228).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228
https://access.redhat.com/errata/RHSA-2021:1585
========================

Updated packages in core/updates_testing:
========================
glibc-2.29-23.mga7
glibc-devel-2.29-23.mga7
glibc-static-devel-2.29-23.mga7
glibc-profile-2.29-23.mga7
nscd-2.29-23.mga7
glibc-utils-2.29-23.mga7
glibc-i18ndata-2.29-23.mga7
glibc-doc-2.29-23.mga7

from glibc-2.29-23.mga7.src.rpm

Assignee: tmb => qa-bugs

Comment 4 Herman Viaene 2021-06-23 16:20:06 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
rebooted after installation, comes up OK.
Nothing ovious wrong with wifi, internet and NFS-shares aceessand diffent file types.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2021-06-24 20:20:26 CEST 
Took a look at the CVE and ran the two oneliners suggested on the RedHat bug.
CVE-2016-10228
https://sourceware.org/bugzilla/show_bug.cgi?id=19519

Before updates:
$ echo -en '\x80' | iconv -f us-ascii -t us-ascii//translit//ignore -c
Hangs....
$ echo -en "\x0e\x0e" | /usr/bin/iconv -c -f IBM1364
$

After the updates neither hang iconv.
$ echo -en '\x80' | iconv -f us-ascii -t us-ascii//translit//ignore -c
$ echo -en "\x0e\x0e" | /usr/bin/iconv -c -f IBM1364
Note that the second test needs glibc-i18ndata.

Going with Herman - this looks good.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2021-06-27 02:54:08 CEST 
Good enough for me. Validating.Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2021-06-28 21:15:38 CEST 
Assigning.
Advisory committed.

CC: (none) => ouaurelien
CVE: (none) => CVE-2016-10228
Status: REOPENED => ASSIGNED
Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-06-28 23:18:18 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0289.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED