OpenSuSE has issued an advisory on June 12: http://lists.opensuse.org/opensuse-updates/2015-06/msg00030.html PoC information is in the SuSE bug: https://bugzilla.suse.com/show_bug.cgi?id=928749 A simpler PoC is in this oss-security post: http://openwall.com/lists/oss-security/2015/05/15/1 I've already verified this fixes the latter PoC on i586. Patched package uploaded for Mageia 4 (Cauldron was fixed a month ago). Advisory: ======================== Updated coreutils packages fix security vulnerabilities: Buffer overflows in sort related to the usage of UTF-8 characters (CVE-2015-4041, CVE-2015-4042). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4041 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4042 http://lists.opensuse.org/opensuse-updates/2015-06/msg00030.html ======================== Updated packages in core/updates_testing: ======================== coreutils-8.21-6.2.mga4 coreutils-doc-8.21-6.2.mga4 from coreutils-8.21-6.2.mga4.src.rpm Reproducible: Steps to Reproduce:
Tested on a Mageia 4 x86-64 VM. PoC failed before the updated and everything was OK after that.
CC: (none) => shlomifWhiteboard: (none) => MGA4-64-OK has_procedure
Adding the OK from my previous test.
Whiteboard: MGA4-64-OK has_procedure => MGA4-32-OK MGA4-64-OK has_procedure
I also tested both PoCs on MGA4-32-OK and verified them to be fixed.
Advisory committed to svn. Someone from the sysadmin team please push 16120.adv to updates for Mageia 4.
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK has_procedure => MGA4-32-OK MGA4-64-OK has_procedure advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0259.html
Status: NEW => RESOLVEDResolution: (none) => FIXED