Bug 33118

Summary: glibc new security issue CVE-2024-2961
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, dan, fri, herman.viaene, joselp, mageia, sysadmin-bugs, tarazed25
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-32-OK MGA9-64-OK
Source RPM: glibc-2.36-52.mga9.src.rpm CVE: CVE-2024-2961
Status comment:

Description Nicolas Salguero 2024-04-22 09:59:12 CEST 
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/04/17/9
Nicolas Salguero 2024-04-22 10:00:05 CEST

Source RPM: (none) => glibc-2.36-52.mga9.src.rpm
Status comment: (none) => Patch available from upstream
CVE: (none) => CVE-2024-2961

Comment 1 Nicolas Salguero 2024-04-22 11:54:38 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable. (CVE-2024-2961)

References:
https://www.openwall.com/lists/oss-security/2024/04/17/9
========================

Updated packages in core/updates_testing:
========================
glibc-2.36-53.mga9
glibc-devel-2.36-53.mga9
glibc-doc-2.36-53.mga9
glibc-i18ndata-2.36-53.mga9
glibc-profile-2.36-53.mga9
glibc-static-devel-2.36-53.mga9
glibc-utils-2.36-53.mga9
nscd-2.36-53.mga9

from SRPM:
glibc-2.36-53.mga9.src.rpm

Status comment: Patch available from upstream => (none)
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

PC LX 2024-04-22 12:05:38 CEST

CC: (none) => mageia

katnatek 2024-04-22 21:25:45 CEST

Keywords: (none) => advisory

Comment 2 Len Lawrence 2024-04-22 23:30:26 CEST 
Mageia9, x86_64
All packages installed/updated cleanly.
Rebooted from linus kernel to desktop kernel OK and all seems to be well.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2024-04-22 23:42:34 CEST 
Tried out memusage in basic manner:
$ memusage --png=test glmark2 -b refract
This produced columns of numbers and histograms in the terminal and also a graphical representation in test.png.
No idea what it all means but it seems to work.
The other glibc-utils are trace facilities for memory leaks and function calls.
Comment 4 Jose Manuel López 2024-04-23 09:39:40 CEST 
Mageia9, x86_64
All packages installed/updated cleanly.
Reboot ok, no issues for the moment. Currently, I have using my computer fine.

CC: (none) => joselp

Comment 5 Herman Viaene 2024-04-23 16:14:19 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Rebooted after installation.
Repeated test from Comment 3 above with same results. Tested LO files, wav, avi, this internet connection, all works OK.

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2024-04-23 16:39:17 CEST 
MGA9-64, Cinnamon, i7 M620, nvidia GT218M (Nouveau), laptop 

It was installed with my kernel testing on this machine.

No issues with machine and functioning as expected.

CC: (none) => brtians1

Comment 7 Morgan Leijström 2024-04-23 17:29:21 CEST 
mga9-64 on my workstation
Updated, rebooted, used a few hours, no issues noted

CC: (none) => fri

Comment 8 Thomas Andrews 2024-04-23 20:15:18 CEST 
MGA9-64 Plasma on an HP Pavilion. 

Updated without issues this morning, used it for a couple of hours without any problems.

CC: (none) => andrewsfarm

Comment 9 Thomas Andrews 2024-04-24 17:16:07 CEST 
MGA9-32 Xfce, Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics, desktop586 kernel.

No installation issues, and a quick check showed no issues to report. I will do a better test later today when I get the time, but I don't anticipate any problems.
Comment 10 katnatek 2024-04-24 20:07:13 CEST 
RH mageia 8 i586

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date


installing glibc-devel-2.36-53.mga9.i586.rpm glibc-2.36-53.mga9.i586.rpm glibc-utils-2.36-53.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     ################################################################
      1/3: glibc                 ################################################################
      2/3: glibc-devel           ################################################################
      3/3: glibc-utils           ################################################################
      1/3: removing glibc-utils-6:2.36-52.mga9.i586
                                 ################################################################
      2/3: removing glibc-devel-6:2.36-52.mga9.i586
                                 ################################################################
      3/3: removing glibc-6:2.36-52.mga9.i586
                                 ################################################################
You should restart your computer for glibc
restarting urpmi


installing nscd-2.36-53.mga9.i586.rpm glibc-doc-2.36-53.mga9.noarch.rpm glibc-i18ndata-2.36-53.mga9.i586.rpm glibc-profile-2.36-53.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     ################################################################
      1/4: glibc-profile         ################################################################
      2/4: glibc-i18ndata        ################################################################
      3/4: glibc-doc             ################################################################
      4/4: nscd                  ################################################################
      1/4: removing glibc-profile-6:2.36-52.mga9.i586
                                 ################################################################
      2/4: removing glibc-i18ndata-6:2.36-52.mga9.i586
                                 ################################################################
      3/4: removing glibc-doc-6:2.36-52.mga9.noarch
                                 ################################################################
      4/4: removing nscd-6:2.36-52.mga9.i586
                                 ################################################################

Reboot
test memusage --png=test rpm -qa

Works fine
Comment 11 katnatek 2024-04-24 20:16:21 CEST 
(In reply to katnatek from comment #10)
> RH mageia 8 i586
Of course is mageia 9
Comment 12 Thomas Andrews 2024-04-25 00:23:27 CEST 
MGA9-32 Xfce again on Foolishness, this time with the desktop kernel. This particular install hadn't been used in a while, and there were several updates waiting, a good test of that situation.

No installation issues, including updating the kernel. After the reboot, tried several things, with no obvious issues to report.

Looks good enough to me. Validating the update.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK
Keywords: (none) => validated_update

Comment 13 Dan Fandrich 2024-04-25 20:20:47 CEST 
This was pushed to updates while Bugzilla was down.
https://advisories.mageia.org/MGASA-2024-0147.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
CC: (none) => dan

Comment 14 katnatek 2024-04-25 20:23:47 CEST 
(In reply to Dan Fandrich from comment #13)
> This was pushed to updates while Bugzilla was down.
> https://advisories.mageia.org/MGASA-2024-0147.html

I note that, but I was waiting to see if the normal notification of mageia robot come or not
Thank you
Comment 15 Dan Fandrich 2024-04-25 20:29:15 CEST 
It won't come. It tries once and if it fails, that's it.
Comment 16 Mageia Robot 2024-04-26 08:48:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0147.html
Comment 17 Dan Fandrich 2024-04-26 10:26:33 CEST 
Interesting, the notification did eventually come. It seems mgaadv looks at the status file for previous advisories every time it's run and retries previous failures in the bug close (and presumbably) mail steps. I learned something today.