Debian has issued an advisory today (August 27): https://www.debian.org/security/2014/dsa-3012 The issue also affects glibc and is detailed here, including PoC: http://openwall.com/lists/oss-security/2014/08/26/2 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Fixed in Cauldron in glibc-2.19-11.mga5 Advisory: Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution. This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose. (CVE-2014-5119) References: https://www.debian.org/security/2014/dsa-3012 http://openwall.com/lists/oss-security/2014/08/26/2 Mga4: SRPM: glibc-2.18-9.3.mga4.src.rpm i586: glibc-2.18-9.3.mga4.i586.rpm glibc-devel-2.18-9.3.mga4.i586.rpm glibc-doc-2.18-9.3.mga4.noarch.rpm glibc-i18ndata-2.18-9.3.mga4.i586.rpm glibc-profile-2.18-9.3.mga4.i586.rpm glibc-static-devel-2.18-9.3.mga4.i586.rpm glibc-utils-2.18-9.3.mga4.i586.rpm nscd-2.18-9.3.mga4.i586.rpm x86_64; glibc-2.18-9.3.mga4.x86_64.rpm glibc-devel-2.18-9.3.mga4.x86_64.rpm glibc-doc-2.18-9.3.mga4.noarch.rpm glibc-i18ndata-2.18-9.3.mga4.x86_64.rpm glibc-profile-2.18-9.3.mga4.x86_64.rpm glibc-static-devel-2.18-9.3.mga4.x86_64.rpm glibc-utils-2.18-9.3.mga4.x86_64.rpm nscd-2.18-9.3.mga4.x86_64.rpm Mga3: SRPM: glibc-2.17-7.4.mga3.src.rpm i586: glibc-2.17-7.4.mga3.i586.rpm glibc-devel-2.17-7.4.mga3.i586.rpm glibc-doc-2.17-7.4.mga3.noarch.rpm glibc-i18ndata-2.17-7.4.mga3.i586.rpm glibc-profile-2.17-7.4.mga3.i586.rpm glibc-static-devel-2.17-7.4.mga3.i586.rpm glibc-utils-2.17-7.4.mga3.i586.rpm nscd-2.17-7.4.mga3.i586.rpm x86_64; glibc-2.17-7.4.mga3.x86_64.rpm glibc-devel-2.17-7.4.mga3.x86_64.rpm glibc-doc-2.17-7.4.mga3.noarch.rpm glibc-i18ndata-2.17-7.4.mga3.x86_64.rpm glibc-profile-2.17-7.4.mga3.x86_64.rpm glibc-static-devel-2.17-7.4.mga3.x86_64.rpm glibc-utils-2.17-7.4.mga3.x86_64.rpm nscd-2.17-7.4.mga3.x86_64.rpm
Hardware: i586 => AllVersion: Cauldron => 4Assignee: tmb => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
The PoC detailed in the openwall link can't be download from here. Instead, you can find it here on the Fedora bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-5119
CC: (none) => remi
Can't reproduce the PoC on Mageia 4 32bit. I'll update glibc, glibc-devel and nscd and make sure everything works as expected.
Testing mga3 32 Testing with the PoC. Download CVE-2014-5119.tar.gz from https://code.google.com/p/google-security-research/issues/detail?id=96 Need gcc installed. $ make clean rm -f pkexploit pty *.o a.out *.so $ make cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00021c40 -ldl pkexploit.c -o pkexploit cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00021c40 -ldl pty.c -o pty cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00021c40 -c -o exploit.o exploit.c cc exploit.o -fPIC -shared -o exploit.so Execute pkexploit to attempt exploitation. $ ./pkexploit [*] --------------------------------------------------- [*] CVE-2014-5119 glibc __gconv_translit_find() exploit [*] ------------------------ taviso & scarybeasts ----- [*] This proof of concept is designed for 32 bit Fedora 20 [*] Attempting to invoke pseudo-pty helper (this will take a few seconds)... ^C This sent virtuoso-t crazy to the point of DoS, so killed with ctrl-c and disabled indexing in KDE settings. Attempting the exploit again just maxed cpu for a few minutes then dropped to no load but gets no further than the output above, so it seems to be silently failing (in it's current form at least). I'll test the update shortly but submitting this first..
With the update installed and machine rebooted the PoC will not even build, hope that is a good sign. All applications still seems to work as normal, with no regressions. $ make clean rm -f pkexploit pty *.o a.out *.so $ make cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -ldl pkexploit.c -o pkexploit pkexploit.c: In function âmainâ: pkexploit.c:306:78: error: â_OPEN_TRANSLIT_OFFâ undeclared (first use in this function) pkexploit.c:306:78: note: each undeclared identifier is reported only once for each function it appears in make: *** [pkexploit] Error 1 Is this expected?
Whiteboard: MGA3TOO => MGA3TOO has_procedure
See comment 5 please Thomas. Thanks.
CC: (none) => tmb
(In reply to claire robinson from comment #5) > With the update installed and machine rebooted the PoC will not even build, > hope that is a good sign. All applications still seems to work as normal, > with no regressions. > > $ make clean > rm -f pkexploit pty *.o a.out *.so > > $ make > cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -ldl pkexploit.c -o pkexploit > pkexploit.c: In function âmainâ: > pkexploit.c:306:78: error: â_OPEN_TRANSLIT_OFFâ undeclared (first use in > this function) > pkexploit.c:306:78: note: each undeclared identifier is reported only once > for each function it appears in > make: *** [pkexploit] Error 1 > > Is this expected? Yep. as the advisory states: "This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose." It's and intentional "breakage"
Thanks, that simplifies checking the PoC ! Testing complete then mga3 32
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok
Well, technically you could have tested with the already built pkexploit but no biggie...
Testing mga4-x86_64 wish me well ;-)
CC: (none) => brtians1
Hmm - I installed the following libraries x86_64; glibc-2.18-9.3.mga4.x86_64.rpm glibc-devel-2.18-9.3.mga4.x86_64.rpm glibc-doc-2.18-9.3.mga4.noarch.rpm glibc-i18ndata-2.18-9.3.mga4.x86_64.rpm glibc-profile-2.18-9.3.mga4.x86_64.rpm glibc-static-devel-2.18-9.3.mga4.x86_64.rpm glibc-utils-2.18-9.3.mga4.x86_64.rpm nscd-2.18-9.3.mga4.x86_64.rpm It pinged me to upgrade a bunch of other packages after installing glibc-2.18.9.3mga4.x86_64.rpm, so I did (me thinks this was a bad idea). Rebooted - after grub screen it goes to blank screen (installation did mention Radion driver not compatible and disabled.) System came up fine falling back to older version. Pretty sure this is user error. I'll uninstall and rethink this. Brian
Testing MGA4 x64 real hardware. glibc had already been automatically updated to 2.18-9.3.mga4 before I tried the exploit. So I ran straight into the problem as defined in Comments 5 & 7. Since for general use the system seems OK, I follow Claire.
CC: (none) => lewyssmithWhiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK
I think you've actually installed everything from Updates Testing Brian rather than just the packages here. When updating packages from Updates Testing you have to cherry pick the ones you want and then disable Updates Testing again. You can try removing everything installed after these glibc packages. You can get a list with: # rpm -qa --last | less You can maybe even produce a nicely formatted list and feed it into urpme with some clever awk command.
or even try urpmi --downgrade <package>
Yes - that's what I did :-( My bad. Running a script now to clean-it up.
Two more CVEs were assigned for glibc: http://openwall.com/lists/oss-security/2014/09/02/1 Thomas, do you want to fix these now?
Yeah, we might as well push the second fix at the same time.... CVE-2012-6656 does not affect us as it was fixed in glibc-2.16 and mga3 has 2.17, and mga4 has 2.18. CVE-2014-6040 otoh affects mga3/mga4/cauldron will push them tonight.
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure feedback
Assingning back to QA CVE-2014-6040 fixed in Cauldron in glibc-2.19-12.mga5 Advisory: Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution. This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose. (CVE-2014-5119) Adhemerval Zanella Netto discovered out-of-bounds reads in additional code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) that can be used to crash the systems, causing a denial of service conditions (CVE-2014-6040). References: https://www.debian.org/security/2014/dsa-3012 http://openwall.com/lists/oss-security/2014/08/26/2 http://openwall.com/lists/oss-security/2014/09/02/1 Mga4: SRPM: glibc-2.18-9.4.mga4.src.rpm i586: glibc-2.18-9.4.mga4.i586.rpm glibc-devel-2.18-9.4.mga4.i586.rpm glibc-doc-2.18-9.4.mga4.noarch.rpm glibc-i18ndata-2.18-9.4.mga4.i586.rpm glibc-profile-2.18-9.4.mga4.i586.rpm glibc-static-devel-2.18-9.4.mga4.i586.rpm glibc-utils-2.18-9.4.mga4.i586.rpm nscd-2.18-9.4.mga4.i586.rpm x86_64; glibc-2.18-9.4.mga4.x86_64.rpm glibc-devel-2.18-9.4.mga4.x86_64.rpm glibc-doc-2.18-9.4.mga4.noarch.rpm glibc-i18ndata-2.18-9.4.mga4.x86_64.rpm glibc-profile-2.18-9.4.mga4.x86_64.rpm glibc-static-devel-2.18-9.4.mga4.x86_64.rpm glibc-utils-2.18-9.4.mga4.x86_64.rpm nscd-2.18-9.4.mga4.x86_64.rpm Mga3: SRPM: glibc-2.17-7.5.mga3.src.rpm i586: glibc-2.17-7.5.mga3.i586.rpm glibc-devel-2.17-7.5.mga3.i586.rpm glibc-doc-2.17-7.5.mga3.noarch.rpm glibc-i18ndata-2.17-7.5.mga3.i586.rpm glibc-profile-2.17-7.5.mga3.i586.rpm glibc-static-devel-2.17-7.5.mga3.i586.rpm glibc-utils-2.17-7.5.mga3.i586.rpm nscd-2.17-7.5.mga3.i586.rpm x86_64; glibc-2.17-7.5.mga3.x86_64.rpm glibc-devel-2.17-7.5.mga3.x86_64.rpm glibc-doc-2.17-7.5.mga3.noarch.rpm glibc-i18ndata-2.17-7.5.mga3.x86_64.rpm glibc-profile-2.17-7.5.mga3.x86_64.rpm glibc-static-devel-2.17-7.5.mga3.x86_64.rpm glibc-utils-2.17-7.5.mga3.x86_64.rpm nscd-2.17-7.5.mga3.x86_64.rpm
CVE: (none) => CVE-2014-5119, CVE-2014-6040Summary: glibc new security issue CVE-2014-5119 => glibc new security issues CVE-2014-5119 and CVE-2014-6040Whiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure
MGA4-64 installed the new update candidate then reboot. All fine for now, will yell if anything bad happens. I've got this in dmesg, I don't know if it's new and if it's important: [ 21.639968] traps: kmozillahelper[2425] general protection ip:7f1227987338 sp:7fff63140e38 error:0 in libpthread-2.18.so[7f1227976000+18000] [ 23.743852] traps: akonadi_imap_re[2724] general protection ip:7fc358326338 sp:7fffdf968ba8 error:0 in libpthread-2.18.so[7fc358315000+18000]
CC: (none) => stormi
LWN reference for the new CVEs: http://lwn.net/Vulnerabilities/610939/
(In reply to Samuel VERSCHELDE from comment #19) > MGA4-64 > I've got this in dmesg, I don't know if it's new and if it's important: > [ 21.639968] traps: kmozillahelper[2425] general protection > [ 23.743852] traps: akonadi_imap_re[2724] general protection Testing also MGA4 x64 real hardware. It has KDE installed, but I am currently working with LightDM login manager & Cinnamon desktop. Looked for Samuel's dmesg errors using glibc 2.18-9.3 : nothing. Updated to: glibc-devel-2.18-9.4.mga4 ; glibc-2.18-9.4.mga4 On re-booting, once again those errors were *not* present for me. So at lest on my box the latest update has not introduced these errors (caveat below). > All fine for now, will yell if anything bad happens. Same here. I will retry with KDM and KDE, & only report further if the dmesg errors occur.
Testing mga4 64 PoC for CVE-2014-6040 https://sourceware.org/bugzilla/show_bug.cgi?id=17325 Saved as 6040.c $ gcc -o 6040 6040.c $ ./6040 IBM930: iconv (...) error IBM932: iconv (...) error Segmentation fault Testing both PoC's again after update.
After reboot.. CVE-2014-5119 using PoC from comment 4 $ make clean rm -f pkexploit pty *.o a.out *.so $ make cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -ldl pkexploit.c -o pkexploit pkexploit.c: In function âmainâ: pkexploit.c:306:78: error: â_OPEN_TRANSLIT_OFFâ undeclared (first use in this function) logmessage(LOG_DEBUG, "open_translit() symbol will be at %p", libcaddr + _OPEN_TRANSLIT_OFF); ^ pkexploit.c:306:78: note: each undeclared identifier is reported only once for each function it appears in <builtin>: recipe for target 'pkexploit' failed make: *** [pkexploit] Error 1 CVE-2014-6040 using PoC from comment 22 $ rm 6040 rm: remove regular file â6040â? y $ gcc -o 6040 6040.c $ ./6040 IBM930: iconv (...) error IBM932: iconv (...) error IBM933: iconv (...) error IBM935: iconv (...) error IBM937: iconv (...) error IBM939: iconv (...) error IBM943: iconv (...) error $ Tested with a number of random applications and no obvious regressions so adding the OK.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Testing mga3 32 next
Mga3 32 doesn't segfault with the PoC for 6040 so the output is the same before and after the update/reboot, all is as in comment 23. No crashes or errors from any applications I tested (FF, LO, Gimp, etc) so adding the OK.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Testing mga3 64 Before ------ 6040 segfaults again here. $ rm 6040 rm: remove regular file â6040â? y $ gcc -o 6040 6040.c $ ./6040 IBM930: iconv (...) error IBM932: iconv (...) error Segmentation fault After ----- $ rm 6040 rm: remove regular file â6040â? y $ gcc -o 6040 6040.c $ ./6040 IBM930: iconv (...) error IBM932: iconv (...) error IBM933: iconv (...) error IBM935: iconv (...) error IBM937: iconv (...) error IBM939: iconv (...) error IBM943: iconv (...) error $ make clean rm -f pkexploit pty *.o a.out *.so $ make cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -ldl pkexploit.c -o pkexploit pkexploit.c: In function âmainâ: pkexploit.c:306:78: error: â_OPEN_TRANSLIT_OFFâ undeclared (first use in this function) pkexploit.c:306:78: note: each undeclared identifier is reported only once for each function it appears in make: *** [pkexploit] Error 1 No apparent regressions in applications, adding OK
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32 As with mga3 32 there was no segfault with CVE-2014-6040 PoC but no regression either and no apparent regression in general use.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory from comment 18 uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0376.html
Status: NEW => RESOLVEDResolution: (none) => FIXED