Bug 13841 - sdcc new security issue CVE-2012-3509
Summary: sdcc new security issue CVE-2012-3509
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-08-01 19:40 CEST by David Walser
Modified: 2014-08-22 12:58 CEST (History)
6 users (show)

See Also:
Source RPM: sdcc-3.3.0-2.mga4.src.rpm
CVE: CVE-2012-3509
Status comment:


Attachments
testing procedure (2.12 KB, text/plain)
2014-08-19 20:01 CEST, James Kerr
Details

Description David Walser 2014-08-01 19:40:13 CEST
Fedora has issued an advisory on July 19:
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136230.html

Unfortunately they didn't use git properly so they uploaded the patch to the repo instead of git, so you'll have to download the SRPM to retrieve it.

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-01 19:40:19 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Barry Jackson 2014-08-02 02:18:00 CEST
Thanks ;) 
Working on it
Comment 2 Barry Jackson 2014-08-04 02:04:43 CEST
Seems this affects more than sdcc:

https://fedorahosted.org/fesco/ticket/956

Only cross-avr-gcc in Mageia has the virtual Provides: bundled(libiberty) 

[baz@localhost ~]$ urpmf libiberty
cross-avr-gcc:/usr/lib/gcc/avr/4.8.1/plugin/include/libiberty.h
lib64binutils-devel:/usr/include/libiberty.h
lib64binutils-devel:/usr/lib64/libiberty.a
gcc-plugins:/usr/lib/gcc/x86_64-mageia-linux-gnu/4.9.2/plugin/include/libiberty.h                                                          
cross-avr-gcc:/usr/lib/gcc/avr/4.8.1/plugin/include/libiberty.h                                                                            
libbinutils-devel:/usr/include/libiberty.h                                                                                                 
libbinutils-devel:/usr/lib/libiberty.a                                                                                                     
gcc-plugins:/usr/lib/gcc/i586-mageia-linux-gnu/4.9.2/plugin/include/libiberty.h

Are we using that virtual provide officially? I will add it to sdcc if so.

CC: (none) => luigiwalser
CVE: (none) => CVE-2012-3509

Comment 3 David Walser 2014-08-04 04:33:56 CEST
The bundled() thing is just a Fedora thing.  RedHat has a long bug on libiberty (who named that thing?) that's hard to follow.  It sounds like for most things that bundled it, they determined that they didn't expose the vulnerability in any useful way.  sdcc is the only package for which they've issued an advisory AFAIK.
Comment 4 Barry Jackson 2014-08-14 22:56:00 CEST
######################################
Update Advisory
######################################
sdcc-3.4.0-3 has been pushed to:
3/core/updates/testing
3/nonfree/updates/testing
and
4/core/updates/testing
4/nonfree/updates/testing

The non-free version has non-free components that cannot be in core.

This version has a Fedora patch to fix the CVE, but I have no poc.

Basic testing of sdcc compiler is explained here:
http://k1.spdns.de/Develop/Hardware/AVR/mixed%20docs.../doc/sdccman.html/node26.htm

Affected packages:
sdcc-3.4.0-3.mga3.src.rpm
sdcc-3.4.0-3.mga3.x86_64.rpm
sdcc-debuginfo-3.4.0-3.mga3.x86_64.rpm

sdcc-3.4.0-3.mga4.src.rpm
sdcc-3.4.0-3.mga4.x86_64.rpm
sdcc-debuginfo-3.4.0-3.mga4.x86_64.rpm
Comment 5 Barry Jackson 2014-08-15 00:24:25 CEST
Seems it dropped an 'l'
http://k1.spdns.de/Develop/Hardware/AVR/mixed%20docs.../doc/sdccman.html/node26.html
Barry Jackson 2014-08-15 11:27:15 CEST

Assignee: zen25000 => qa-bugs

Comment 6 Barry Jackson 2014-08-15 11:32:35 CEST
Let's start again as I also forget i586 packages.

######################################
Update Advisory
######################################
sdcc-3.4.0-3 has been pushed to:
3/core/updates/testing
3/nonfree/updates/testing
and
4/core/updates/testing
4/nonfree/updates/testing

The non-free version has non-free components that cannot be in core.

This version has a Fedora patch to fix the CVE, but I have no poc.

Basic testing of sdcc compiler is explained here:
http://k1.spdns.de/Develop/Hardware/AVR/mixed%20docs.../doc/sdccman.html/node26.html

Affected packages:
sdcc-3.4.0-3.mga3.src.rpm
sdcc-3.4.0-3.mga3.x86_64.rpm
sdcc-debuginfo-3.4.0-3.mga3.x86_64.rpm
sdcc-3.4.0-3.mga3.i586.rpm
sdcc-debuginfo-3.4.0-3.mga3.i586.rpm

sdcc-3.4.0-3.mga4.src.rpm
sdcc-3.4.0-3.mga4.x86_64.rpm
sdcc-3.4.0-3.mga4.i586.rpm
sdcc-debuginfo-3.4.0-3.mga4.x86_64.rpm
sdcc-debuginfo-3.4.0-3.mga4.i586.rpm

CC: (none) => zen25000

Rémi Verschelde 2014-08-15 11:33:40 CEST

CC: (none) => remi
Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 7 James Kerr 2014-08-15 13:45:34 CEST
Testing on mga-3-64 

After upgrading to the free version in testing, the symlinks in /usr/bin are all named sdcc-sd* and using, for example, "sdcc --version" produces a file not found response. It is possible to launch the program using sdcc-sdcc, but it is unable to find the component files, for example

"sdcc-sdcc -c test.c
sh: sdcpp: command not found"

Launching the executable directly

/usr/libexec/sdcc/sdcc -c test.c
does seem to work.

The version in /core/release did pass the tests.
Comment 8 Barry Jackson 2014-08-15 13:53:21 CEST
Thanks Jim,
I will investigate.
Comment 9 Barry Jackson 2014-08-16 00:42:48 CEST
A fixed package is in Cauldron now. I will push it to 3 & 4 if I get chance and feel up to it (man flu :( Probably why I messed this up - now I know why Fd didn't use symlinks :\
Comment 10 Barry Jackson 2014-08-18 23:53:42 CEST
After much deliberation I have reverted to keeping all the binaries in /usr/bin rather than relocating them. This currently causes no conflicts and simplifies things for us and the user.

Since this CVE also probably affects sdcc2.9 which is now really old, I have obsoleted it with this new version.

######################################
Update Advisory
######################################
sdcc-3.4.0-6 has been pushed to:
3/core/updates/testing
3/nonfree/updates/testing
and
4/core/updates/testing
4/nonfree/updates/testing

The non-free version has non-free components that cannot be in core.

This version has a Fedora patch to fix the CVE, but I have no poc.

Basic testing of sdcc compiler is explained here:
http://k1.spdns.de/Develop/Hardware/AVR/mixed%20docs.../doc/sdccman.html/node26.html

Affected packages:
sdcc-3.4.0-6.mga3.src.rpm
sdcc-3.4.0-6.mga3.x86_64.rpm
sdcc-debuginfo-3.4.0-6.mga3.x86_64.rpm
sdcc-3.4.0-6.mga3.i586.rpm
sdcc-debuginfo-3.4.0-6.mga3.i586.rpm

sdcc-3.4.0-6.mga4.src.rpm
sdcc-3.4.0-6.mga4.x86_64.rpm
sdcc-debuginfo-3.4.0-6.mga4.x86_64.rpm
sdcc-3.4.0-6.mga4.i586.rpm
sdcc-debuginfo-3.4.0-6.mga4.i586.rpm
Comment 11 William Kenney 2014-08-19 19:02:06 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
sdcc

default install of sdcc

[root@localhost wilcal]# urpmi sdcc
Package sdcc-3.3.0-2.mga4.i586 is already installed

[wilcal@localhost ~]$ sdcc
SDCC : mcs51/gbz80/z80/z180/r2k/r3ka/ds390/pic16/pic14/TININative/ds400/hc08/s08 3.3.0 #8604 (Oct 23 2013) (Linux)
Usage : sdcc [options] filename
Options :-

General options:........

(In reply to James Kerr from comment #7)
>.....
> Launching the executable directly
> 
> /usr/libexec/sdcc/sdcc -c test.c
> does seem to work.
> 
> The version in /core/release did pass the tests.

James could you attach to this Bug your/a "test.c" file such that we can all
use the same testing criteria you are using. Please explan when I put
that file into say /home/wilcal/sdcctest, and in a terminal in that
folder, exectute: sdcc -c test.c
Tell use exactly what you expect to happen. Keep it simple so we can
do this again in the future. Thanks.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 12 James Kerr 2014-08-19 19:31:51 CEST
(In reply to William Kenney from comment #11)
I followed the procedures described in the page linked to in comment 10. What more do you need?
Comment 13 James Kerr 2014-08-19 19:33:25 CEST
Resuming testing on mga-3-64
Installed sdcc2.9 from /core/release
Installed sdcc from /core/updates/testing. sdcc2.9 was removed as expected.
Ran the tests linked to in comment 10
All tests completed successfully
Updated to the nonfree version and re-ran the tests
All tests completed successfully.

Testing complete mga-3-64

Whiteboard: MGA3TOO => MGA3TOO MGA3-64-OK

Comment 14 James Kerr 2014-08-19 20:01:27 CEST
Created attachment 5350 [details]
testing procedure
Comment 15 William Kenney 2014-08-19 22:01:06 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
sdcc

default install of sdcc

[root@localhost wilcal]# urpmi sdcc
Package sdcc-3.3.0-2.mga4.i586 is already installed

In terminal in /home/wilcal/sdcc_test
[wilcal@localhost wilcal]# sdcc --version
SDCC : mcs51/gbz80/z80/z180/r2k/r3ka/ds390/pic16/pic14/TININative/ds400/hc08/s08 3.3.0 #8604 (Oct 23 2013) (Linux)
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported
[wilcal@localhost sdcc_test]$ sdcc --print-search-dirs
programs:
/usr/bin
datadir:
/usr/bin/../share
/usr/share
includedir:
/usr/bin/../share/sdcc/include/mcs51
/usr/share/sdcc/include/mcs51
/usr/bin/../share/sdcc/include
/usr/share/sdcc/include
libdir:
/usr/bin/../share/sdcc/lib/small
/usr/share/sdcc/lib/small
libpath:

clear out /home/wilcal/sdcc_test

install sdcc from updates_testing

[root@localhost wilcal]# urpmi sdcc
Package sdcc-3.4.0-6.mga4.nonfree.i586 is already installed

In terminal in /home/wilcal/sdcc_test
[wilcal@localhost sdcc_test]$ sdcc --version
SDCC : mcs51/z80/z180/r2k/r3ka/gbz80/tlcs90/ds390/pic16/pic14/TININative/ds400/hc08/s08/stm8 3.4.0 #8981 (Aug 18 2014) (Linux)                   
published under GNU General Public License (GPL)
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 16 William Kenney 2014-08-19 22:02:56 CEST
(In reply to William Kenney from comment #15)

> In VirtualBox, M4, KDE, 32-bit
> ........

Look good to you James?
Comment 17 William Kenney 2014-08-19 22:48:57 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
sdcc

default install of sdcc

[root@localhost sdcc_test]# urpmi sdcc
Package sdcc-3.3.0-2.mga4.x86_64 is already installed

[root@localhost sdcc_test]# sdcc --version
SDCC : mcs51/gbz80/z80/z180/r2k/r3ka/ds390/pic16/pic14/TININative/ds400/hc08/s08 3.3.0 #8604 (Oct 23 2013) (Linux)
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported
[wilcal@localhost sdcc_test]$ sdcc --print-search-dirs
programs:
/usr/bin
datadir:
/usr/bin/../share
/usr/share
includedir:
/usr/bin/../share/sdcc/include/mcs51
/usr/share/sdcc/include/mcs51
/usr/bin/../share/sdcc/include
/usr/share/sdcc/include
libdir:
/usr/bin/../share/sdcc/lib/small
/usr/share/sdcc/lib/small
libpath:

clear out /home/wilcal/sdcc_test

install sdcc from updates_testing

[root@localhost wilcal]# urpmi sdcc
Package sdcc-3.4.0-6.mga4.nonfree.x86_64 is already installed

[wilcal@localhost sdcc_test]$ sdcc --version
SDCC : mcs51/z80/z180/r2k/r3ka/gbz80/tlcs90/ds390/pic16/pic14/TININative/ds400/hc08/s08/stm8 3.4.0 #8981 (Aug 18 2014) (Linux)
published under GNU General Public License (GPL)
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported
[wilcal@localhost sdcc_test]$ sdcc --print-search-dirs
programs:
/usr/bin
datadir:
/usr/bin/../share
/usr/share
includedir:
/usr/bin/../share/sdcc/include/mcs51
/usr/share/sdcc/include/mcs51
/usr/bin/../share/sdcc/include
/usr/share/sdcc/include
libdir:
/usr/bin/../share/sdcc/lib/small
/usr/share/sdcc/lib/small
libpath:

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 18 William Kenney 2014-08-19 23:32:17 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
sdcc

default install of sdcc

[root@localhost wilcal]# urpmi sdcc
Package sdcc-3.2.0-5.mga3.i586 is already installed

[wilcal@localhost sdcc_test]$ sdcc --version
SDCC : mcs51/gbz80/z80/z180/r2k/r3ka/ds390/pic16/pic14/TININative/ds400/hc08/s08 3.2.1 #8246 (Jan 14 2013) (Linux)
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported
[wilcal@localhost sdcc_test]$ sdcc --print-search-dirs
programs:
/usr/bin
datadir:
/usr/bin/../share
/usr/share
includedir:
/usr/bin/../share/sdcc/include/mcs51
/usr/share/sdcc/include/mcs51
/usr/bin/../share/sdcc/include
/usr/share/sdcc/include
libdir:
/usr/bin/../share/sdcc/lib/small
/usr/share/sdcc/lib/small
libpath:

install sdcc from updates_testing

[root@localhost wilcal]# urpmi sdcc
Package sdcc-3.4.0-6.mga3.nonfree.i586 is already installed

[wilcal@localhost sdcc_test]$ sdcc --version
SDCC : mcs51/z80/z180/r2k/r3ka/gbz80/tlcs90/ds390/pic16/pic14/TININative/ds400/hc08/s08/stm8 3.4.0 #8981 (Aug 18 2014) (Linux)
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported
[wilcal@localhost sdcc_test]$ sdcc --print-search-dirs
programs:
/usr/bin
datadir:
/usr/bin/../share
/usr/share
includedir:
/usr/bin/../share/sdcc/include/mcs51
/usr/share/sdcc/include/mcs51
/usr/bin/../share/sdcc/include
/usr/share/sdcc/include
libdir:
/usr/bin/../share/sdcc/lib/small
/usr/share/sdcc/lib/small
libpath:

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 19 William Kenney 2014-08-19 23:55:24 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
sdcc

default install of sdcc

[root@localhost sdcc_test]# urpmi sdcc
Package sdcc-3.2.0-5.mga3.x86_64 is already installed

[wilcal@localhost sdcc_test]$ sdcc --version
SDCC : mcs51/gbz80/z80/z180/r2k/r3ka/ds390/pic16/pic14/TININative/ds400/hc08/s08 3.2.1 #8246 (Jan 14 2013) (Linux)
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported
[wilcal@localhost sdcc_test]$ sdcc --print-search-dirs
programs:
/usr/bin
datadir:
/usr/bin/../share
/usr/share
includedir:
/usr/bin/../share/sdcc/include/mcs51
/usr/share/sdcc/include/mcs51
/usr/bin/../share/sdcc/include
/usr/share/sdcc/include
libdir:
/usr/bin/../share/sdcc/lib/small
/usr/share/sdcc/lib/small
libpath:

install sdcc from updates_testing

[root@localhost wilcal]# urpmi sdcc
Package sdcc-3.4.0-6.mga3.nonfree.x86_64 is already installed

[wilcal@localhost ~]$ sdcc --version
SDCC : mcs51/z80/z180/r2k/r3ka/gbz80/tlcs90/ds390/pic16/pic14/TININative/ds400/hc08/s08/stm8 3.4.0 #8981 (Aug 18 2014) (Linux)
Create initial test.c file per test prodceedure
[wilcal@localhost sdcc_test]$ sdcc -c test.c
creates test.sym test.rel test.lst test.asm 
[wilcal@localhost sdcc_test]$ sdcc test.c
creates test.rst test.mem test.map test.lk test.ihx
Edit test.c per test proceedure
[wilcal@localhost sdcc_test]$ sdcc test.c
regenerates test.ihx file, no errors reported
[wilcal@localhost sdcc_test]$ sdcc --print-search-dirs
programs:
/usr/bin
datadir:
/usr/bin/../share
/usr/share
includedir:
/usr/bin/../share/sdcc/include/mcs51
/usr/share/sdcc/include/mcs51
/usr/bin/../share/sdcc/include
/usr/share/sdcc/include
libdir:
/usr/bin/../share/sdcc/lib/small
/usr/share/sdcc/lib/small
libpath:

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 20 William Kenney 2014-08-19 23:56:31 CEST
What'a ya say James. Is it a go?
Comment 21 James Kerr 2014-08-20 01:00:20 CEST
I don't see where among all that you confirmed that the sdcc update does in fact obsolete sdcc2.9. I did confirm in comment 13 and I would have thought that it should also probably be checked on mga4, but perhaps it's not necessary.
Comment 22 Barry Jackson 2014-08-20 01:07:57 CEST
@Jim
The same package is in cauldron and in the last day sdcc2.9 is gone.

[baz@jackodesktop ~]$ urpmq sdcc2.9
No package named sdcc2.9

So the same will happen once this is pushed to core and/or nonfree in 3 & 4.
Comment 23 William Kenney 2014-08-20 01:17:26 CEST
Are we good to go, if so I'll validate this Bug?
Comment 24 James Kerr 2014-08-20 02:28:41 CEST
(In reply to William Kenney from comment #23)
If you are satisfied, then I have no objection.
Comment 25 William Kenney 2014-08-20 03:08:04 CEST
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 26 claire robinson 2014-08-20 19:48:05 CEST
We need an advisory text for this one, please.
Comment 27 James Kerr 2014-08-21 14:21:43 CEST
I suggest that the advisory proposed in comment 10 should be amended to read 
something like:

------------------------------------------------------
Updated sdcc packages fix a security vulnerability.

Integer overflow, leading to heap-buffer overflow by processing certain file 
headers via bfd binary. (CVE-2012-3509)

A nonfree package is also now available, which provides components that cannot 
be included in the core repository.

In addition, this update obsoletes sdcc2.9, which is old and probably has the same security vulnerability.

SRPMS

sdcc-3.4.0-6.mga3.src.rpm
sdcc-3.4.0-6.mga3.nonfree.src.rpm
sdcc-3.4.0-6.mga4.src.rpm   
sdcc-3.4.0-6.mga4.nonfree.src.rpm

References: https://bugs.mageia.org/show_bug.cgi?id=13841
	    https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136230.html
            
------------------------------------------------------------------------

The advisory would need to be created by someone with SVN access.
Comment 28 Dave Hodgins 2014-08-21 23:30:19 CEST
13841.adv added to svn

CC: (none) => davidwhodgins
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 29 Mageia Robot 2014-08-22 12:58:35 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0346.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.