Debian has issued an advisory on January 9: https://www.debian.org/security/2015/dsa-3123 These issues have previously been discussed on oss-security, and I was under the impression they have been addressed upstream. They may have been, but I don't remember seeing any mention of them in the binutils 2.25 release notes. Debian does have some patches, but it's not obvious that any of their patches to 2.25 in sid are related to the security issues, so they might be fixed in 2.25. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
LWN reference for CVE-2014-8484 and CVE-2014-8485: http://lwn.net/Vulnerabilities/629234/
Blocks: (none) => 14674
See the CVE descriptions, all of them have been fixed in binutils 2.25. For cauldron: CVE-2014-8737: was already fixed in 1:2.24-11.mga5 CVE-2014-8738: not sure, might be fixed with same patch as CVE-2014-8737 CVE-2014-8504: was already fixed in 1:2.24-11.mga5 CVE-2014-8503: was already fixed in 1:2.24-11.mga5 CVE-2014-8502: was already fixed in 1:2.24-11.mga5 CVE-2014-8501: was already fixed in 1:2.24-11.mga5 CVE-2014-8485: was already fixed in 1:2.24-11.mga5 CVE-2014-8484: was already fixed in 1:2.24-11.mga5
CC: (none) => cjw
Debian has links to the upstream commits for the CVEs. CVE-2014-8737 and CVE-2014-8738 are different and the fixes are in different source files. The binutils-2.24-corrupt-ar.patch patch we have has part of the CVE-2014-8738 patch, but not all of it: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=bb0d867169d7e9743d229804106a8fbcab7f3b3f binutils-2.24-corrupt-ar.patch is CVE-2014-8737. In fact, Debian's CVE-2014-8738 patch has the two parts we're missing. Description: CVE-2014-8738 fix Author: Luciano Bello <luciano@debian.org> Origin: backport: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bb0d867169d7e9743d229804106a8fbcab7f3b3f Applied-Upstream: commit: bb0d867169d7e9743d229804106a8fbcab7f3b3f --- --- a/bfd/archive.c +++ b/bfd/archive.c @@ -1272,6 +1272,9 @@ _bfd_slurp_extended_name_table (bfd *abf amt = namedata->parsed_size; if (amt + 1 == 0) goto byebye; + /* PR binutils/17533: A corrupt archive can contain an invalid size. */ + if (amt > (bfd_size_type) bfd_get_size (abfd)) + goto byebye; bfd_ardata (abfd)->extended_names_size = amt; bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1); @@ -1289,7 +1292,6 @@ _bfd_slurp_extended_name_table (bfd *abf if (bfd_get_error () != bfd_error_system_call) bfd_set_error (bfd_error_malformed_archive); bfd_release (abfd, (bfd_ardata (abfd)->extended_names)); - bfd_ardata (abfd)->extended_names = NULL; goto byebye; }
(In reply to David Walser from comment #3) > Debian has links to the upstream commits for the CVEs. I checked the commits of course, but used links in the separate redhat bugs (: > The binutils-2.24-corrupt-ar.patch patch we have has part of the > CVE-2014-8738 patch, but not all of it: Thanks, the missing chunks are added as separate patch in binutils-2.24-12.mga5. I don't have any plans for mga4 at this time.
OK, hopefully the rest of the CVEs are fully fixed. Marking this as just for Mageia 4 now. Since Mageia 4 is also binutils 2.24, is there any reason we can't sync it with Cauldron?
Whiteboard: MGA4TOO => (none)Blocks: 14674 => (none)Version: Cauldron => 4
Looking at the changelog I'd say submitting 2.24-12.mga5 as 2.24-3.1.mga4 is the right way to resolve the security issues.
Patched package uploaded for Mageia 4. Advisory: ======================== Updated binutils packages fix security vulnerabilities: Multiple security issues have been found in binutils. These vulnerabilities include multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, the bypass of security restrictions, path traversal attack or denial of service (CVE-2014-8484, CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504, CVE-2014-8737, CVE-2014-8738). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8503 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8504 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8738 https://www.debian.org/security/2015/dsa-3123 ======================== Updated packages in core/updates_testing: ======================== binutils-2.24-3.1.mga4 libbinutils-devel-2.24-3.1.mga4 from binutils-2.24-3.1.mga4.src.rpm
Assignee: tmb => qa-bugs
Severity: normal => major
Testing on Mageia4x64, real hardware From current package : -------------------- binutils-2.24-3.mga4 Ran a few binutils commands on binaries. $ size --format=SysV /usr/bin/znc /usr/bin/znc : section size addr .interp 28 4194872 .note.ABI-tag 32 4194900 (...) .gnu_debuglink 16 0 .gnu_debugdata 1992 0 Total 1380109 $ objdump -f /usr/bin/zip /usr/bin/zip: format de fichier elf64-x86-64 architecture: i386:x86-64, fanions 0x00000112: EXEC_P, HAS_SYMS, D_PAGED adresse de départ 0x000000000040816f $ strings -a /usr/bin/lsusb /lib64/ld-linux-x86-64.so.2 libusb-1.0.so.0 (...) .gnu_debuglink .gnu_debugdata $ ar -cvq testbinutils.a Yamaha2.wav Yamaha.ogg a - Yamaha2.wav a - Yamaha.ogg created an archive file (testbinutils.a) from two sound files $ ar vx drawpile_0.8.6-1~getdeb1_amd64.deb x - debian-binary x - control.tar.gz x - data.tar.gz extracted a deb file found on the web To updated testing packages : --------------------------- binutils-2.24-3.1.mga4 Ran same tests, all gave same results. OK for these tests but I guess there is more to do to efficiently test binutils.
CC: (none) => olchal
Testing Mageia 4 i586. $ size --format=SysV /usr/bin/krfb /usr/bin/krfb : section size addr .interp 19 134512980 .note.ABI-tag 32 134513000 .note.gnu.build-id 36 134513032 .gnu.hash 5636 134513068 .dynsym 14064 134518704 .dynstr 24680 134532768 .gnu.version 1758 134557448 .gnu.version_r 304 134559208 .rel.dyn 232 134559512 .rel.plt 4616 134559744 .init 35 134564360 .plt 9248 134564400 .text 244002 134573648 .fini 20 134817652 .rodata 41702 134817696 .eh_frame_hdr 5644 134859400 .eh_frame 33236 134865044 .init_array 4 134905488 .fini_array 4 134905492 .jcr 4 134905496 .dynamic 352 134905500 .got 4 134905852 .got.plt 2320 134905856 .data 524 134908192 .bss 89600 134908736 .gnu_debuglink 16 0 .gnu_debugdata 7320 0 Total 485412 $ objdump -f /usr/bin/zip /usr/bin/zip: file format elf32-i386 architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x0805019e $ strings -a /usr/bin/lsusb -n 60 {%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x} Warning: mixer with %5u input and %5u output channels. Warning: CLOCK_SOURCE descriptors are illegal for UAC1 Warning: CLOCK_SELECTOR descriptors are illegal for UAC1 Warning: CLOCK_MULTIPLIER descriptors are illegal for UAC1 Warning: SAMPLE_RATE_CONVERTER_UNIT descriptors are illegal for UAC1 Couldn't get configuration descriptor 0, some information will be missing Couldn't get configuration descriptor %d, some information will be missing FIXME: alloc bigger buffer for device capability descriptors Lowest fully-functional device speed is Low Speed (1Mbps) Lowest fully-functional device speed is Full Speed (12Mbps) Lowest fully-functional device speed is High Speed (480Mbps) Lowest fully-functional device speed is SuperSpeed (5Gbps) Lowest fully-functional device speed is at an unknown speed! Duplicate Physdes type spec at line %u terminal type %04x %s Product/Subclass spec without prior Vendor/Class spec at line %u Protocol spec without prior Class and Subclass spec at line %u Duplicate audio terminal type spec at line %u terminal type %04x %s Duplicate video terminal type spec at line %u terminal type %04x %s $ ar -cvq testar.a pop.wav KDE-Sys-Log-In.ogg a - pop.wav a - KDE-Sys-Log-In.ogg $ ar vx wicd_1.7.2.4-4.1_all.deb x - debian-binary x - control.tar.gz x - data.tar.gz Looks good.
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
seems to be an issue reported in bug 15063, blocking for now
CC: (none) => tmbDepends on: (none) => 15063
Dropping the blocker... turns out its not a regression but an old known problem with known workarounds... I will maybe fix it later for mga4, but no need to hold up this security update.
Depends on: 15063 => (none)
Validating. Advisory uploaded.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0027.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED