Mandriva has issued an advisory today (April 30): http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A218/ LWN references: http://lwn.net/Vulnerabilities/634468/ (CVE-2013-7423) http://lwn.net/Vulnerabilities/641239/ (CVE-2015-1781) RedHat has issued an advisory for this on April 21: https://rhn.redhat.com/errata/RHSA-2015-0863.html I'm not sure if these have been fixed in Cauldron yet, or if Thomas has any other fixes for Mageia 4 pending. Oden has committed the patches from RHEL6 to fix these issues in Mageia 4 SVN and a build for it is currently in Mageia 4 core/updates_testing. glibc-2.18-9.10.mga4 glibc-devel-2.18-9.10.mga4 glibc-doc-2.18-9.10.mga4 glibc-i18ndata-2.18-9.10.mga4 glibc-profile-2.18-9.10.mga4 glibc-static-devel-2.18-9.10.mga4 glibc-utils-2.18-9.10.mga4 nscd-2.18-9.10.mga4 from glibc-2.18-9.10.mga4.src.rpm It would be nice to get these tested and pushed with the kernel update if possible, as that may be ready to be validated. Assigning to tmb for now to decide what to do with this. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
RedHat has issued an advisory on March 5: https://rhn.redhat.com/errata/RHSA-2015-0327.html This fixes an additional issue that we haven't addressed, CVE-2014-8121. CVE-2014-6040 was fixed in Bug 13995. Thomas has committed fixed for all outstanding issues in Mageia 4 and Cauldron.
Summary: glibc new security issues CVE-2013-7423 and CVE-2015-1781 => glibc new security issues CVE-2013-7423, CVE-2014-8121, and CVE-2015-1781
Packages to test: SRPM: glibc-2.18-9.11.mga4.src.rpm i586: glibc-2.18-9.11.mga4.i586.rpm glibc-devel-2.18-9.11.mga4.i586.rpm glibc-doc-2.18-9.11.mga4.noarch.rpm glibc-i18ndata-2.18-9.11.mga4.i586.rpm glibc-profile-2.18-9.11.mga4.i586.rpm glibc-static-devel-2.18-9.11.mga4.i586.rpm glibc-utils-2.18-9.11.mga4.i586.rpm nscd-2.18-9.11.mga4.i586.rpm x86_64: glibc-2.18-9.11.mga4.x86_64.rpm glibc-devel-2.18-9.11.mga4.x86_64.rpm glibc-doc-2.18-9.11.mga4.noarch.rpm glibc-i18ndata-2.18-9.11.mga4.x86_64.rpm glibc-profile-2.18-9.11.mga4.x86_64.rpm glibc-static-devel-2.18-9.11.mga4.x86_64.rpm glibc-utils-2.18-9.11.mga4.x86_64.rpm nscd-2.18-9.11.mga4.x86_64.rpm Advisory: Updated glibc package fixes security vulnerabilities: It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data. (CVE-2013-7423) It was found that the files back end of Name Service Switch (NSS) did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service. (CVE-2014-8121) A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application. (CVE-2015-1781) Joseph Myers discovered strxfrm is vulnerable to integer overflows when computing memory allocation sizes (similar to CVE-2012-4412) [BZ #16009] (CVE pending) Shaun Colley discovered strxfrm falls back to an unbounded alloca if malloc fails making it vulnerable to stack-based buffer overflows (similar to CVE-2012-4424) [BZ #16009] (CVE pending) A buffer overflow flaw was found in libio/wstrops.c:_IO_wstr_overflow wich allows for overflow in calculating the new size in wide characters, but not for overflow in the multiplication to compute the size in bytes, which could thus overflow and result in a buffer overrun copying data into the new buffer. [BZ #17269] (CVE pending) When processing certain malformed patterns, fnmatch can skip over the NUL byte terminating the pattern. This can potentially result in an application crash if fnmatch hits an unmapped page before encountering a NUL byte. [BZ #18032] (CVE pending) Other fixes in this update: nscd package was missing the /var/db/nscd directory wich prevented it to work properly (mga#15545). References: https://bugs.mageia.org/show_bug.cgi?id=15545 https://bugs.mageia.org/show_bug.cgi?id=15800 https://sourceware.org/bugzilla/show_bug.cgi?id=16009 https://sourceware.org/bugzilla/show_bug.cgi?id=17269 https://sourceware.org/bugzilla/show_bug.cgi?id=18032 https://rhn.redhat.com/errata/RHSA-2015-0327.html https://rhn.redhat.com/errata/RHSA-2015-0863.html
Hardware: i586 => AllVersion: Cauldron => 4Assignee: tmb => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
I installed all the glibc packages on both a Mageia 4 x86-64 VBox VM and an x86-64 Acer Laptop running Mageia 4 and, after a reboot, everything seems to be in order on both: * Konqueror. * KDE 4. * VLC with a video. * YouTube HTML 5 video playback. * An HTML 5 demo. * Extreme Tux Racer. * gwenview. * konsole * ls -lR * find * su / sudo Marking as MGA4-64-OK.
CC: (none) => shlomifWhiteboard: (none) => MGA4-64-OK
Question: can I test the 32-bit versions of these packages only on a VBox VM?
Yes that's valid Shlomi. 64bit was tested on your laptop anyway. It's usually worth checking for PoC's for things like this to help with testing. eg. https://sourceware.org/bugzilla/show_bug.cgi?id=18032 from the advisory.
I upgraded this glibc on my workstation at home and didn't have any issues (Mageia 4 i586). I didn't check for PoCs though, there probably are some.
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK => advisory mga4-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0195.html
Status: NEW => RESOLVEDResolution: (none) => FIXED