| Summary: | bash new security issue CVE-2012-3410 [mga1 & 2] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Olivier Blin <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | minor | ||
| Priority: | Low | CC: | cmrisolde, davidwhodgins, luigiwalser, mageia, olivier.delaune, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/507815/ | ||
| Whiteboard: | MGA1TOO mga2-64-OK MGA1-32-OK MGA2-32-OK MGA1-64-OK | ||
| Source RPM: | bash-4.2-5.mga1.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 6858 | ||
| Bug Blocks: | |||
|
Description
Olivier Blin
2012-07-23 23:32:22 CEST
David Walser
2012-07-24 00:12:55 CEST
Whiteboard:
(none) =>
MGA1TOO Patched packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Bash has been updated to patchlevel 37 to fix several minor issues. One of these is a buffer overflow vulnerability related to using the test command with invalid filenames in the /dev/fd directory (CVE-2012-3410). Mageia is not vulnerable to a buffer overflow with this issue because of the compiler options that were used to build it, but it can still cause a crash. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3410 http://lists.opensuse.org/opensuse-updates/2012-07/msg00038.html ======================== Updated packages in core/updates_testing: ======================== bash-4.2-5.1.mga1 bash-doc-4.2-5.1.mga1 bash-4.2-5.1.mga2 bash-doc-4.2-5.1.mga2 from SRPMS: bash-4.2-5.1.mga1.src.rpm bash-4.2-5.1.mga2.src.rpm Priority:
Normal =>
Low Note to QA: When I built this locally and installed it, when I first tried it the reproducer still worked. I built it in a VM and rebooted it before trying it and the reproducer didn't work. So, if you install the update and the reproducer still works, try rebooting :o) Testing on Mageia 2 64-bits. After installing bash-4.2-5.1.mga2, I closed the terminal. I opened a new one and I tried: test -e /dev/fd/111111111111111111111111111111111111 The crash had disappeared So, ok for me. CC:
(none) =>
olivier.delaune (In reply to comment #3) > Testing on Mageia 2 64-bits. After installing bash-4.2-5.1.mga2, I closed the > terminal. I opened a new one and I tried: > test -e /dev/fd/111111111111111111111111111111111111 > The crash had disappeared > So, ok for me. Thanks, I've set the whiteboard comment based on your test. Whiteboard:
MGA1TOO =>
MGA1TOO mga2-64-OK Testing complete on Mageia 1 i586. Before updating ... $ test -e /dev/fd/111111111111111111111111111111111111 *** buffer overflow detected ***: /bin/bash terminated After the update, $ test -e /dev/fd/111111111111111111111111111111111111 $ echo $? 1 I'll test Mageia 2 i586 shortly. CC:
(none) =>
davidwhodgins Testing complete on Mageia 2 i586. Whiteboard:
MGA1TOO mga2-64-OK =>
MGA1TOO mga2-64-OK MGA1-32-OK MGA2-32-OK Tested on Mga 1 64-bit. Before: crash message After: same as in comment 5 Presumably that's OK,so I've added it to the whiteboard. Carolyn CC:
(none) =>
isolde That's great Carolyn, thankyou. This can be validated now, do you want to do it or shall I? Update validated on Mga1 and Mga2 both archs. See comment 1 for advisory and SRPMs. Could sysadmin please push from core/updates_testing to core/updates. Thank you. Carolyn Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0184 Status:
NEW =>
RESOLVED |