A security issue in musl has been announced on June 7 (or 6 in some timezones): http://seclists.org/oss-sec/2014/q2/495 It was fixed upstream in 1.1.2, which tv uploaded for Cauldron. It was also fixed in 1.0.3. You can see both releases here: http://freecode.com/projects/musl/releases/364244 A patch was attached to the post I linked at the top. The version in Mageia 3 is too old to be vulnerable. Patched package uploaded for Mageia 4. Advisory: ======================== Updated musl package fixes security vulnerability: A remote stack-based buffer overflow has been found in musl libc's dns response parsing code. The overflow can be triggered in programs linked against musl libc and making dns queries via one of the standard interfaces (getaddrinfo, getnameinfo, gethostbyname, gethostbyaddr, etc.) if one of the configured nameservers in resolv.conf is controlled by an attacker, or if an attacker can inject forged udp packets with control over their contents. Denial of service is also possible via a related failure in loop detection (CVE-2014-3484). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3484 http://seclists.org/oss-sec/2014/q2/495 ======================== Updated packages in core/updates_testing: ======================== musl-devel-0.9.14-2.1.mga4 from musl-0.9.14-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
I don't see any obvious way to test this as it's not required or build required by anything in Mageia from what I can see.
CC: (none) => thierry.vignaud
Indeed. I only packaged it in order to test building stage1 with musl instead of dietlibc. We ended in using glibc instead. You can just push the package or just try building a small C "hello world" program in order to check it's still working.
Thanks for the suggestion Thierry, I didn't even think of that :o) The only downside to hello world is that it doesn't make use of the code affected by this update. So, I wrote a small DNS resolver program that uses gethostbyname, which the upstream advisory mentions should make use of the affected code. I ran my program with the updated musl on Mageia 4 i586 and it works fine. Interestingly enough, compiled with glibc it doesn't seem to work! (It always returns host not found). How to use this program: - install musl-devel - save the following code (at the bottom) as lookup.c - run "musl-gcc -o lookup lookup.c" - use the "lookup" binary created and give a host as a command line arg: lookup www.yahoo.com It should give some valid output. I get (for the above example): Name: fd-fp3.wg1.b.yahoo.com Alias 0: fd-fp3.wg1.b.yahoo.com Alias 1: www.yahoo.com Type: IPv4 Address 0: 98.139.180.149 Address 1: 98.139.183.24 Code: #include <stdio.h> #include <stddef.h> #include <netdb.h> extern int h_errno; int main(int argc, char *argv[]){ struct hostent *res = gethostbyname(argv[1]); char *alias, *address; int i = 0, j; switch(h_errno) { case HOST_NOT_FOUND: printf("Host not found\n"); break; case TRY_AGAIN: printf("Try again\n"); break; case NO_RECOVERY: printf("Non-recoverable error\n"); break; case NO_DATA: printf("No data\n"); break; default: printf("Name:\t\t%s\n", res->h_name); alias = res->h_aliases[i]; while (alias != NULL) { printf("Alias %d:\t%s\n", i, alias); alias = res->h_aliases[++i]; } printf("Type:\t\t"); switch(res->h_addrtype){ case AF_INET: printf("IPv4\n"); break; case AF_INET6: printf("IPv6\n"); break; default: printf("Unknown %d-byte length address\n", res->h_length); } i = 0; address = res->h_addr_list[i]; while (address != NULL) { printf("Address %d:\t", i); for (j=0;j < res->h_length;j++) { printf("%hhu", (unsigned)address[j]); if (j != res->h_length-1) printf("."); else printf("\n"); } address = res->h_addr_list[++i]; } } return h_errno; }
When you run the binary you make, you'll most likely need a ./: ./lookup www.yahoo.com
Whiteboard: (none) => has_procedure
Adding the whiteboard marker for my previous testing (i586).
Whiteboard: has_procedure => has_procedure MGA4-32-OK
same tests ok under x86_64
CC: (none) => makowski.mageiaWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Thanks both. Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0262.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/602883/