Fixed in Cauldron in glibc-2.19-11.mga5


Advisory:
Tavis Ormandy discovered a heap-based buffer overflow in the transliteration
module loading code. As a result, an attacker who can supply a crafted
destination character set argument to iconv-related character conversation
functions could achieve arbitrary code execution.

This update removes support of loadable gconv transliteration modules.
Besides the security vulnerability, the module loading code had functionality
defects which prevented it from working for the intended purpose.
(CVE-2014-5119)

References:
https://www.debian.org/security/2014/dsa-3012
http://openwall.com/lists/oss-security/2014/08/26/2



Mga4:
SRPM:
glibc-2.18-9.3.mga4.src.rpm

i586:
glibc-2.18-9.3.mga4.i586.rpm
glibc-devel-2.18-9.3.mga4.i586.rpm
glibc-doc-2.18-9.3.mga4.noarch.rpm
glibc-i18ndata-2.18-9.3.mga4.i586.rpm
glibc-profile-2.18-9.3.mga4.i586.rpm
glibc-static-devel-2.18-9.3.mga4.i586.rpm
glibc-utils-2.18-9.3.mga4.i586.rpm
nscd-2.18-9.3.mga4.i586.rpm

x86_64;
glibc-2.18-9.3.mga4.x86_64.rpm
glibc-devel-2.18-9.3.mga4.x86_64.rpm
glibc-doc-2.18-9.3.mga4.noarch.rpm
glibc-i18ndata-2.18-9.3.mga4.x86_64.rpm
glibc-profile-2.18-9.3.mga4.x86_64.rpm
glibc-static-devel-2.18-9.3.mga4.x86_64.rpm
glibc-utils-2.18-9.3.mga4.x86_64.rpm
nscd-2.18-9.3.mga4.x86_64.rpm



Mga3:
SRPM:
glibc-2.17-7.4.mga3.src.rpm

i586:
glibc-2.17-7.4.mga3.i586.rpm
glibc-devel-2.17-7.4.mga3.i586.rpm
glibc-doc-2.17-7.4.mga3.noarch.rpm
glibc-i18ndata-2.17-7.4.mga3.i586.rpm
glibc-profile-2.17-7.4.mga3.i586.rpm
glibc-static-devel-2.17-7.4.mga3.i586.rpm
glibc-utils-2.17-7.4.mga3.i586.rpm
nscd-2.17-7.4.mga3.i586.rpm

x86_64;
glibc-2.17-7.4.mga3.x86_64.rpm
glibc-devel-2.17-7.4.mga3.x86_64.rpm
glibc-doc-2.17-7.4.mga3.noarch.rpm
glibc-i18ndata-2.17-7.4.mga3.x86_64.rpm
glibc-profile-2.17-7.4.mga3.x86_64.rpm
glibc-static-devel-2.17-7.4.mga3.x86_64.rpm
glibc-utils-2.17-7.4.mga3.x86_64.rpm
nscd-2.17-7.4.mga3.x86_64.rpm

Hardware: i586 => All
Version: Cauldron => 4
Assignee: tmb => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

The PoC detailed in the openwall link can't be download from here. Instead, you can find it here on the Fedora bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-5119

CC: (none) => remi

Can't reproduce the PoC on Mageia 4 32bit. I'll update glibc, glibc-devel and nscd and make sure everything works as expected.

Testing mga3 32

Testing with the PoC. Download CVE-2014-5119.tar.gz from
https://code.google.com/p/google-security-research/issues/detail?id=96

Need gcc installed.

$ make clean
rm -f pkexploit pty *.o a.out *.so

$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00021c40 -ldl  pkexploit.c   -o pkexploit
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00021c40 -ldl  pty.c   -o pty
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00021c40  -c -o exploit.o exploit.c
cc exploit.o -fPIC -shared -o exploit.so
Execute pkexploit to attempt exploitation.

$ ./pkexploit
[*] ---------------------------------------------------
[*] CVE-2014-5119 glibc __gconv_translit_find() exploit
[*] ------------------------ taviso & scarybeasts -----
[*] This proof of concept is designed for 32 bit Fedora 20
[*] Attempting to invoke pseudo-pty helper (this will take a few seconds)...
^C

This sent virtuoso-t crazy to the point of DoS, so killed with ctrl-c and disabled indexing in KDE settings. Attempting the exploit again just maxed cpu for a few minutes then dropped to no load but gets no further than the output above, so it seems to be silently failing (in it's current form at least).

I'll test the update shortly but submitting this first..

With the update installed and machine rebooted the PoC will not even build, hope that is a good sign. All applications still seems to work as normal, with no regressions.

$ make clean
rm -f pkexploit pty *.o a.out *.so

$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99  -ldl  pkexploit.c   -o pkexploit
pkexploit.c: In function âmainâ:
pkexploit.c:306:78: error: â_OPEN_TRANSLIT_OFFâ undeclared (first use in this function)
pkexploit.c:306:78: note: each undeclared identifier is reported only once for each function it appears in
make: *** [pkexploit] Error 1

Is this expected?

See comment 5 please Thomas. Thanks.

CC: (none) => tmb

(In reply to claire robinson from comment #5)
> With the update installed and machine rebooted the PoC will not even build,
> hope that is a good sign. All applications still seems to work as normal,
> with no regressions.
> 
> $ make clean
> rm -f pkexploit pty *.o a.out *.so
> 
> $ make
> cc -ggdb3 -O0 -Wno-multichar -std=gnu99  -ldl  pkexploit.c   -o pkexploit
> pkexploit.c: In function âmainâ:
> pkexploit.c:306:78: error: â_OPEN_TRANSLIT_OFFâ undeclared (first use in
> this function)
> pkexploit.c:306:78: note: each undeclared identifier is reported only once
> for each function it appears in
> make: *** [pkexploit] Error 1
> 
> Is this expected?

Yep.

as the advisory states:

"This update removes support of loadable gconv transliteration modules.
Besides the security vulnerability, the module loading code had functionality
defects which prevented it from working for the intended purpose."

It's and intentional "breakage"

Thanks, that simplifies checking the PoC !

Testing complete then mga3 32

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok

Well, technically you could have tested with the already built pkexploit but no biggie...

Testing mga4-x86_64

wish me well ;-)

CC: (none) => brtians1

Hmm - I installed the following libraries

x86_64;
glibc-2.18-9.3.mga4.x86_64.rpm
glibc-devel-2.18-9.3.mga4.x86_64.rpm
glibc-doc-2.18-9.3.mga4.noarch.rpm
glibc-i18ndata-2.18-9.3.mga4.x86_64.rpm
glibc-profile-2.18-9.3.mga4.x86_64.rpm
glibc-static-devel-2.18-9.3.mga4.x86_64.rpm
glibc-utils-2.18-9.3.mga4.x86_64.rpm
nscd-2.18-9.3.mga4.x86_64.rpm

It pinged me to upgrade a bunch of other packages after installing glibc-2.18.9.3mga4.x86_64.rpm, so I did (me thinks this was a bad idea).

Rebooted - after grub screen it goes to blank screen (installation did mention Radion driver not compatible and disabled.)

System came up fine falling back to older version.

Pretty sure this is user error.  I'll uninstall and rethink this.

Brian

Testing MGA4 x64 real hardware.

glibc had already been automatically updated to 2.18-9.3.mga4 before I tried the exploit. So I ran straight into the problem as defined in Comments 5 & 7.

Since for general use the system seems OK, I follow Claire.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK

I think you've actually installed everything from Updates Testing Brian rather than just the packages here. When updating packages from Updates Testing you have to cherry pick the ones you want and then disable Updates Testing again.

You can try removing everything installed after these glibc packages.

You can get a list with:

# rpm -qa --last | less

You can maybe even produce a nicely formatted list and feed it into urpme with some clever awk command.

or even try urpmi --downgrade <package>

Yes - that's what I did  :-(  

My bad.

Running a script now to clean-it up.

Two more CVEs were assigned for glibc:
http://openwall.com/lists/oss-security/2014/09/02/1

Thomas, do you want to fix these now?

Yeah, we might as well push the second fix at the same time....

CVE-2012-6656 does not affect us as it was fixed in glibc-2.16 and mga3 has 2.17, and mga4 has 2.18.

CVE-2014-6040 otoh affects mga3/mga4/cauldron

will push them tonight.

Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure feedback

Assingning back to QA 

CVE-2014-6040 fixed in Cauldron in glibc-2.19-12.mga5

Advisory:
Tavis Ormandy discovered a heap-based buffer overflow in the transliteration
module loading code. As a result, an attacker who can supply a crafted
destination character set argument to iconv-related character conversation
functions could achieve arbitrary code execution.

This update removes support of loadable gconv transliteration modules.
Besides the security vulnerability, the module loading code had functionality
defects which prevented it from working for the intended purpose.
(CVE-2014-5119)

Adhemerval Zanella Netto discovered out-of-bounds reads in additional code page
decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) that can be used
to crash the systems, causing a denial of service conditions (CVE-2014-6040).

References:
https://www.debian.org/security/2014/dsa-3012
http://openwall.com/lists/oss-security/2014/08/26/2
http://openwall.com/lists/oss-security/2014/09/02/1



Mga4:
SRPM:
glibc-2.18-9.4.mga4.src.rpm

i586:
glibc-2.18-9.4.mga4.i586.rpm
glibc-devel-2.18-9.4.mga4.i586.rpm
glibc-doc-2.18-9.4.mga4.noarch.rpm
glibc-i18ndata-2.18-9.4.mga4.i586.rpm
glibc-profile-2.18-9.4.mga4.i586.rpm
glibc-static-devel-2.18-9.4.mga4.i586.rpm
glibc-utils-2.18-9.4.mga4.i586.rpm
nscd-2.18-9.4.mga4.i586.rpm

x86_64;
glibc-2.18-9.4.mga4.x86_64.rpm
glibc-devel-2.18-9.4.mga4.x86_64.rpm
glibc-doc-2.18-9.4.mga4.noarch.rpm
glibc-i18ndata-2.18-9.4.mga4.x86_64.rpm
glibc-profile-2.18-9.4.mga4.x86_64.rpm
glibc-static-devel-2.18-9.4.mga4.x86_64.rpm
glibc-utils-2.18-9.4.mga4.x86_64.rpm
nscd-2.18-9.4.mga4.x86_64.rpm



Mga3:
SRPM:
glibc-2.17-7.5.mga3.src.rpm

i586:
glibc-2.17-7.5.mga3.i586.rpm
glibc-devel-2.17-7.5.mga3.i586.rpm
glibc-doc-2.17-7.5.mga3.noarch.rpm
glibc-i18ndata-2.17-7.5.mga3.i586.rpm
glibc-profile-2.17-7.5.mga3.i586.rpm
glibc-static-devel-2.17-7.5.mga3.i586.rpm
glibc-utils-2.17-7.5.mga3.i586.rpm
nscd-2.17-7.5.mga3.i586.rpm

x86_64;
glibc-2.17-7.5.mga3.x86_64.rpm
glibc-devel-2.17-7.5.mga3.x86_64.rpm
glibc-doc-2.17-7.5.mga3.noarch.rpm
glibc-i18ndata-2.17-7.5.mga3.x86_64.rpm
glibc-profile-2.17-7.5.mga3.x86_64.rpm
glibc-static-devel-2.17-7.5.mga3.x86_64.rpm
glibc-utils-2.17-7.5.mga3.x86_64.rpm
nscd-2.17-7.5.mga3.x86_64.rpm

CVE: (none) => CVE-2014-5119, CVE-2014-6040
Summary: glibc new security issue CVE-2014-5119 => glibc new security issues CVE-2014-5119 and CVE-2014-6040
Whiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure

MGA4-64

installed the new update candidate then reboot. All fine for now, will yell if anything bad happens.

I've got this in dmesg, I don't know if it's new and if it's important:

[   21.639968] traps: kmozillahelper[2425] general protection ip:7f1227987338 sp:7fff63140e38 error:0 in libpthread-2.18.so[7f1227976000+18000]
[   23.743852] traps: akonadi_imap_re[2724] general protection ip:7fc358326338 sp:7fffdf968ba8 error:0 in libpthread-2.18.so[7fc358315000+18000]

CC: (none) => stormi

LWN reference for the new CVEs:
http://lwn.net/Vulnerabilities/610939/

(In reply to Samuel VERSCHELDE from comment #19)
> MGA4-64
> I've got this in dmesg, I don't know if it's new and if it's important:
> [   21.639968] traps: kmozillahelper[2425] general protection
> [   23.743852] traps: akonadi_imap_re[2724] general protection

Testing also MGA4 x64 real hardware.
It has KDE installed, but I am currently working with LightDM login manager & Cinnamon desktop.

Looked for Samuel's dmesg errors using glibc 2.18-9.3 : nothing.
Updated to: glibc-devel-2.18-9.4.mga4 ; glibc-2.18-9.4.mga4
On re-booting, once again those errors were *not* present for me. So at lest on my box the latest update has not introduced these errors (caveat below).

> All fine for now, will yell if anything bad happens.
Same here. I will retry with KDM and KDE, & only report further if the dmesg errors occur.

Testing mga4 64

PoC for CVE-2014-6040
https://sourceware.org/bugzilla/show_bug.cgi?id=17325

Saved as 6040.c

$ gcc -o 6040 6040.c
$ ./6040
IBM930: iconv (...) error
IBM932: iconv (...) error
Segmentation fault

Testing both PoC's again after update.

After reboot..

CVE-2014-5119 using PoC from comment 4

$ make clean
rm -f pkexploit pty *.o a.out *.so

$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99  -ldl  pkexploit.c   -o pkexploit
pkexploit.c: In function âmainâ:
pkexploit.c:306:78: error: â_OPEN_TRANSLIT_OFFâ undeclared (first use in this function)
     logmessage(LOG_DEBUG, "open_translit() symbol will be at %p", libcaddr + _OPEN_TRANSLIT_OFF);
                                                                              ^
pkexploit.c:306:78: note: each undeclared identifier is reported only once for each function it appears in
<builtin>: recipe for target 'pkexploit' failed
make: *** [pkexploit] Error 1


CVE-2014-6040 using PoC from comment 22
$ rm 6040
rm: remove regular file â6040â? y

$ gcc -o 6040 6040.c 
$ ./6040 
IBM930: iconv (...) error
IBM932: iconv (...) error
IBM933: iconv (...) error
IBM935: iconv (...) error
IBM937: iconv (...) error
IBM939: iconv (...) error
IBM943: iconv (...) error
$


Tested with a number of random applications and no obvious regressions so adding the OK.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Testing mga3 32 next

Mga3 32 doesn't segfault with the PoC for 6040 so the output is the same before and after the update/reboot, all is as in comment 23. No crashes or errors from any applications I tested (FF, LO, Gimp, etc) so adding the OK.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Testing mga3 64

Before
------
6040 segfaults again here.

$ rm 6040
rm: remove regular file â6040â? y
$ gcc -o 6040 6040.c 
$ ./6040 
IBM930: iconv (...) error
IBM932: iconv (...) error
Segmentation fault


After
-----
$ rm 6040
rm: remove regular file â6040â? y
$ gcc -o 6040 6040.c 
$ ./6040 
IBM930: iconv (...) error
IBM932: iconv (...) error
IBM933: iconv (...) error
IBM935: iconv (...) error
IBM937: iconv (...) error
IBM939: iconv (...) error
IBM943: iconv (...) error

$ make clean
rm -f pkexploit pty *.o a.out *.so
$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99  -ldl  pkexploit.c   -o pkexploit
pkexploit.c: In function âmainâ:
pkexploit.c:306:78: error: â_OPEN_TRANSLIT_OFFâ undeclared (first use in this function)
pkexploit.c:306:78: note: each undeclared identifier is reported only once for each function it appears in
make: *** [pkexploit] Error 1


No apparent regressions in applications, adding OK

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Testing complete mga4 32

As with mga3 32 there was no segfault with CVE-2014-6040 PoC but no regression either and no apparent regression in general use.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Validating. Advisory from comment 18 uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0376.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED