| Summary: | glibc new security issue CVE-2023-4911 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, fri, ghibomgx, guillaume.royer, joselp, mageia, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8TOO MGA8-64-OK MGA9-64-OK MGA8-32-OK MGA9-32-OK | ||
| Source RPM: | glibc-2.36-50.mga9.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | screenshot | ||
|
Description
Nicolas Salguero
2023-10-09 15:53:07 CEST
Nicolas Salguero
2023-10-09 15:55:19 CEST
CC:
(none) =>
nicolas.salguero
Nicolas Salguero
2023-10-09 16:22:31 CEST
Severity:
normal =>
critical Add to Giuseppe Ghibò, he was working on it CC:
(none) =>
ghibomgx Assigning to nicolasS as you have already committed the patch for this CVE: Mon Oct 9 14:by ns80 - add a patch for CVE-2023-4911 (mga#32357) Assignee:
bugsquad =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix a security vulnerability: A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. (CVE-2023-4911) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911 https://www.openwall.com/lists/oss-security/2023/10/03/2 ======================== Updated packages in 9/core/updates_testing: ======================== glibc-2.36-51.mga9 glibc-devel-2.36-51.mga9 glibc-doc-2.36-51.mga9 glibc-i18ndata-2.36-51.mga9 glibc-profile-2.36-51.mga9 glibc-static-devel-2.36-51.mga9 glibc-utils-2.36-51.mga9 nscd-2.36-51.mga9 from SRPM: glibc-2.36-51.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== glibc-2.32-32.mga8 glibc-devel-2.32-32.mga8 glibc-doc-2.32-32.mga8 glibc-i18ndata-2.32-32.mga8 glibc-profile-2.32-32.mga8 glibc-static-devel-2.32-32.mga8 glibc-utils-2.32-32.mga8 nscd-2.32-32.mga8 from SRPM: glibc-2.32-32.mga8.src.rpm Whiteboard:
MGA9TOO, MGA8TOO =>
MGA8TOO Advisory from comment 3 uploaded. Please remove the "advisory" keyword and obsolete comment 3 if it needs to be changed. CC:
(none) =>
marja11 Installed from testing repositories, no issues for here. Reboot ok, update ok, apps ok. Greetings!! CC:
(none) =>
joselp MGA9-64, AMD Ryzen 5 2600, Nvidia 730GT (Nouveau), GNOME The following 3 packages are going to be installed: - glibc-2.36-51.mga9.x86_64 - glibc-devel-2.36-51.mga9.x86_64 - nscd-2.36-51.mga9.x86_64 156KB of additional disk space will be used. - rebooted System came up - woohoo Systems are working as expected. Audio and video working. Nothing quirky. CC:
(none) =>
brtians1 Before install, I run a script suggested on reports related to this CVE i confirm the segfault Install all packages, reboot and run the script again, not segfault this time, I guess that means the packages solve the CVE Tested on Mageia 9 Plasma x86_64 MGA9-64 Core I5 16Go RAM DE GNOME Updated with QA Repo: glibc 2.36 51.mga9 x86_64 glibc-devel 2.36 51.mga9 x86_64 No issues after installation, reboot Ok CC:
(none) =>
guillaume.royer MGA8-64, Plasma, AMD Ryzen 2600, nouveau The following 3 packages are going to be installed: - glibc-2.32-32.mga8.x86_64 - glibc-devel-2.32-32.mga8.x86_64 - nscd-2.32-32.mga8.x86_64 160KB of additional disk space will be used. rebooted sound, etc. work. Working as expected.
PC LX
2023-10-11 00:37:04 CEST
CC:
(none) =>
mageia mga8-64 OK here running on intel i7-870, nvidia470, Plasma, with every update incl updates_testing; kernel, mesa, ... CC:
(none) =>
fri HP Pavilion 15, A8-4555, AMD HD 7600G graphics. Two Plasma installs, one MGA8, the other MGA9. No installation issues. Both installs seem to be acting normally after the reboot. Giving this a 64-bit OK on both releases. But, being that glibc is basic to Mageia function, we still need i586 tests before validating. CC:
(none) =>
andrewsfarm Tested on Mageia 9 i586, made the test in comment#7, normal use look good On Foolishness, my Dell Inspiron 5100, 32-bit P4, Radeon RV200 graphics. Two 32-bit Xfce systems, one MGA8, the other MGA9. No installation issues, and no issues noted on either system after the reboot. Using the MGA9 install now. With these tests and comment 12, looks good to go to me. Validating. Keywords:
(none) =>
validated_update
Thomas Andrews
2023-10-11 19:21:32 CEST
Whiteboard:
MGA8TOO MGA8-64-OK Mga9-64-OK MGA8032-OK MGA9-32-OK =>
MGA8TOO MGA8-64-OK Mga9-64-OK MGA8-32-OK MGA9-32-OK Tested on VM with Mageia 8 i586 XFCE, before install the test script segfaul, after install all glibc packages listed for mga 8 and reboot, the test script not segfault Normal use look good @marja & neoclust, I just see the src.rpms in the advisory on svn, Its that fine? Whiteboard:
MGA8TOO MGA8-64-OK Mga9-64-OK MGA8-32-OK MGA9-32-OK =>
MGA8TOO MGA8-64-OK MGA9-64-OK MGA8-32-OK MGA9-32-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0286.html Resolution:
(none) =>
FIXED Created attachment 14046 [details]
screenshot
I cannot apply this update due to problems with dependencies, see the screenshot. This is with Mageia 8.
This update has already been pushed. Please open a new bug on this issue, so it can be investigated.
Frédéric "LpSolit" Buclin
2023-10-12 12:41:41 CEST
Blocks:
(none) =>
32379 This update has been pushed, and by now many users have probably installed it. It's too late to block it. Your bug 32379 will have to generate a new glibc update. Blocks:
32379 =>
(none) |