Bug 14651 - Update request: glibc-2.18-9.5.mga4, glibc-2.17-7.6.mga3
Summary: Update request: glibc-2.18-9.5.mga4, glibc-2.17-7.6.mga3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/623290/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-23 20:55 CET by Thomas Backlund
Modified: 2014-11-28 18:19 CET (History)
9 users (show)

See Also:
Source RPM: glibc
CVE:
Status comment:


Attachments

Description Thomas Backlund 2014-11-23 20:55:02 CET
Cauldron fixed in: glibc-2.20-12.mga5



Advisory:
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).



Mga4:
SRPMS:
glibc-2.18-9.5.mga4.src.rpm

i586:
glibc-2.18-9.5.mga4.i586.rpm
glibc-devel-2.18-9.5.mga4.i586.rpm
glibc-doc-2.18-9.5.mga4.noarch.rpm
glibc-i18ndata-2.18-9.5.mga4.i586.rpm
glibc-profile-2.18-9.5.mga4.i586.rpm
glibc-static-devel-2.18-9.5.mga4.i586.rpm
glibc-utils-2.18-9.5.mga4.i586.rpm
nscd-2.18-9.5.mga4.i586.rpm

x86_64:
glibc-2.18-9.5.mga4.x86_64.rpm
glibc-devel-2.18-9.5.mga4.x86_64.rpm
glibc-doc-2.18-9.5.mga4.noarch.rpm
glibc-i18ndata-2.18-9.5.mga4.x86_64.rpm
glibc-profile-2.18-9.5.mga4.x86_64.rpm
glibc-static-devel-2.18-9.5.mga4.x86_64.rpm
glibc-utils-2.18-9.5.mga4.x86_64.rpm
nscd-2.18-9.5.mga4.x86_64.rpm



Mga3:
SRPMS:
glibc-2.17-7.6.mga3.src.rpm

i586:
glibc-2.17-7.6.mga3.i586.rpm
glibc-devel-2.17-7.6.mga3.i586.rpm
glibc-doc-2.17-7.6.mga3.noarch.rpm
glibc-i18ndata-2.17-7.6.mga3.i586.rpm
glibc-profile-2.17-7.6.mga3.i586.rpm
glibc-static-devel-2.17-7.6.mga3.i586.rpm
glibc-utils-2.17-7.6.mga3.i586.rpm
nscd-2.17-7.6.mga3.i586.rpm

x86_64:
glibc-2.17-7.6.mga3.x86_64.rpm
glibc-devel-2.17-7.6.mga3.x86_64.rpm
glibc-doc-2.17-7.6.mga3.noarch.rpm
glibc-i18ndata-2.17-7.6.mga3.x86_64.rpm
glibc-profile-2.17-7.6.mga3.x86_64.rpm
glibc-static-devel-2.17-7.6.mga3.x86_64.rpm
glibc-utils-2.17-7.6.mga3.x86_64.rpm
nscd-2.17-7.6.mga3.x86_64.rpm


Reproducible: 

Steps to Reproduce:
Thomas Backlund 2014-11-23 20:55:21 CET

CC: (none) => tmb
Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-11-24 00:18:37 CET
PoC: https://bugzilla.redhat.com/show_bug.cgi?id=1157689

$ cat cve20147817.c 
#include <wordexp.h>
int main (void)
{
  wordexp_t we;
  return wordexp ("$((1`touch /tmp/x`))", &we, WRDE_NOCMD);
}



Testing mga3 32

$ gcc -o testcase cve20147817.c 
$ ./testcase

$ ll /tmp/x
-rw-r--r-- 1 claire claire 0 Nov 23 23:14 /tmp/x

$ rm -f /tmp/x
$ rm -f testcase

Installing updates and rebooting.

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 claire robinson 2014-11-24 00:31:59 CET
After reboot..

$ gcc -o testcase cve20147817.c 
$ ./testcase
$ ll /tmp/x
ls: cannot access /tmp/x: No such file or directory

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok

Comment 3 user7 2014-11-24 17:41:04 CET
Thank you MrsB for the detailed testing procedure!

Testing complete on Mga4 i586, everything OK. Following the procedure from comment 3, I got the exact same results as MrsB (both before and after the update).

CC: (none) => wassi
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok

Comment 4 olivier charles 2014-11-24 21:05:03 CET
Testing on Mageia3-64 real hardware
using Claire's procedure in comment 1

$ rpm -q glibc
glibc-2.17-7.5.mga3
$ ll /tmp/x
-rw-r--r-- 1 zitounu zitounu 0 nov.  24 20:58 /tmp/x


$ rpm -q glibc
glibc-2.17-7.6.mga3
$ ll /tmp/x
ls: impossible d'accéder à /tmp/x: Aucun fichier ou dossier de ce type

All OK

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok MGA3-64-OK mga4-32-ok

Comment 5 Herman Viaene 2014-11-26 09:41:15 CET
Testing MGA4-64 on HP6555b
Same result as Claire's Comment 3

CC: (none) => herman.viaene
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA3-64-OK mga4-32-ok => MGA3TOO has_procedure mga3-32-ok MGA3-64-OK mga4-32-ok MGA4-64-OK

Comment 6 claire robinson 2014-11-26 11:11:05 CET
Validating. Advisory uploaded.

Please push to updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA3-64-OK mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok MGA3-64-OK mga4-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Samuel Verschelde 2014-11-26 11:27:37 CET
I'm not highly confident about rushing the glibc update after only 1 test per arch, given the issues we've had in the past, especially when most of the testing went into testing a POC and even more for mga3 where we won't be able to fix any regression due to this update.

Couldn't we wait for a few days? I know mga3 is EOLed today, but maybe EOL should mean "no more update candidates, but we will handle the remaining updates in the pipe", not "let's push everything we've got before it's too late". Or we shouldn't have accepted an update candidate to glibc for mga3 at all knowing that the time was too short.

CC: (none) => stormi

Comment 8 claire robinson 2014-11-26 11:39:43 CET
It's been here for 3 days already. Mga3 EOL means no further updates so let's push please.

Feel free to separate mga4 to a separate bug and we'll handle it separately, you'll also need to split the advisory if you do.
Comment 9 claire robinson 2014-11-26 11:42:01 CET
The alternative is not to push in mga3 and clean it from updates_testing
Comment 10 Samuel Verschelde 2014-11-26 11:46:59 CET
I know what EOL means, and I think there should have been a delay of at least one week between the last update candidate and the actual EOL.

I'm just pointing at a risk, I won't split the bug if I'm the only one thinking it's too fast for a glibc update.

Not pushing it is an alternative indeed, but maybe Thomas can maybe tell about the risks he thinks there are (or aren't).
Comment 11 claire robinson 2014-11-26 11:50:40 CET
You could test it too :)
Comment 12 Samuel Verschelde 2014-11-26 11:51:58 CET
I'll install it on my mga4 workstation, for sure :)
Comment 13 Samuel Verschelde 2014-11-26 11:59:50 CET
Can we delay this one for a few hours, and I'll send an urgent call for testing to the mailing list?
Comment 14 claire robinson 2014-11-26 12:04:31 CET
Certainly. I'll remove the validated_update keyword in case others are script pushed before this is ready.

We will need a push/no-push today though please.

Keywords: validated_update => (none)

Comment 15 David Walser 2014-11-26 12:55:48 CET
This is ready for validation.  The change in this patch doesn't affect many programs in practice.  See this post for a list:
http://www.openwall.com/lists/oss-security/2014/11/21/9

So, for the paranoid, if you want to double-check that Flash still works just fine (including sound) and that the mailx package (i.e. the mail command) still works without errors, then you should feel comfortable that this update doesn't cause any regressions.
Comment 16 Samuel Verschelde 2014-11-26 13:00:03 CET
Well, the paranoid would not take the nature of the patch into account for such a package as glibc ;)
Comment 17 Rémi Verschelde 2014-11-26 13:09:30 CET
No obvious regression seen here on Mageia 3 32bit in vbox.
Among other tests, I made sure that flash works fine as advised by David.

CC: (none) => remi

Comment 18 olivier charles 2014-11-26 13:18:19 CET
I have not mentionned it here, but I've been using glibc-2.18-9.5.mga4.x86_64.rpm without any issue for some days as it was installed automatically with another testing package even before it was assigned to QA team.

As I did not test it using the PoC, I have not reported it her.

Testing package glibc for Mageia3-64 still runs well on my Mageia3-64 installation since my comment 4.

Both are on real hardware.
Comment 19 Thomas Backlund 2014-11-26 13:28:36 CET
(In reply to Samuel VERSCHELDE from comment #10)

> 
> Not pushing it is an alternative indeed, but maybe Thomas can maybe tell
> about the risks he thinks there are (or aren't).


There should not be any problems with it as the only thing the fix does is:

https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=posix/wordexp.c;h=26f3a2653feba2b1a5904937d9d6b58c32109e24;hp=b6b65dd993ec7e2ee5e3e88f8800c2e254cb9d5f;hb=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c;hpb=130ac68ca25c9aa65e027e3e37337bc048205c69

wich in short does as per the upstrem commit message:

This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.

so it "simply" moves an existing check up earlier in the call chain.

as for testing reference.. 
I also have it running on 2 live mga4 x86_64 servers and my mga4 x86_64 laptop since Saturday 22nd
Comment 20 Otto Leipälä 2014-11-26 13:36:22 CET
It have no single problems in my test install it's fine to push it now until Mga3 eol.

CC: (none) => ozkyster

Comment 21 claire robinson 2014-11-26 13:49:06 CET
Thanks everybody for the extra tests and information.

I'm re-validating but please don't hesitate to mention any issues before the update is pushed, which should be later today.

Keywords: (none) => validated_update

Comment 22 Marja Van Waes 2014-11-26 14:57:40 CET
ah, it was already revalidated.

Anyway, no issues here, everything works as expected (Mga3, 64bits, NVidia card), including HDvideo + sound + subtitles

CC: (none) => marja11

Comment 23 Mageia Robot 2014-11-26 18:30:31 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0496.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-28 18:19:08 CET

URL: (none) => http://lwn.net/Vulnerabilities/623290/


Note You need to log in before you can comment on or make changes to this bug.