Debian-LTS has issued an advisory on July 12: http://lwn.net/Alerts/650875/ RedHat has a link to the upstream commit (and bug report) to fix the issue: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3239 Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. This package is only used for building our kernel package. Advisory: ======================== Updated libunwind packages fix security vulnerability: An invalid DW_OP_bregXX opcodes can access dwarf_to_unw_regnum_map one item past the end (CVE-2015-3239). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3239 https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162200.html ======================== Updated packages in core/updates_testing: ======================== libunwind-1.1-2.1.mga4 libunwind-devel-1.1-2.1.mga4 libunwind-1.1-4.1.mga5 libunwind-devel-1.1-4.1.mga5 from SRPMS: libunwind-1.1-2.1.mga4.src.rpm libunwind-1.1-4.1.mga5.src.rpm
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOOCC: (none) => tmbVersion: Cauldron => 5Assignee: tmb => qa-bugs
Whiteboard: MGA4TOO => MGA4TOO advisoryCC: (none) => davidwhodgins
(In reply to David Walser from comment #1) > This package is only used for building our kernel package. In which case, can it be tested otherwise? Or does it need to be tested by someone who builds kernels? If the latter, how do we organise this?
CC: (none) => lewyssmith
Thomas could validate this himself if he wanted, but otherwise anyone can test building the kernel package from our SVN or Source RPM. For instance, if you have rpm-build, bm, and mgarepo installed, you should be able to do: mgarepo co -d 5 kernel cd kernel ./build_sources bm -ls su -c 'urpmi SRPMS/kernel*.rpm' bm -l You're probably OK if it builds fine, but you could test one of the built kernels too if you wanted. I'm not sure exactly what libunwind is used for in our kernel built process, especially since the kernel-linus package didn't also BuildRequire it.
Testing complete mga5 64 The rpm in 64bit is libunwind rather than lib64unwind. Is that expected? libunwind is required by perf. # urpmq --whatrequires libunwind libunwind libunwind-devel libunwind-devel perf weston Tested as below # perf bench mem memcpy # Running 'mem/memcpy' benchmark: # Copying 1MB Bytes ... 2.618130 GB/Sec 1.593087 GB/Sec (with prefault)
Whiteboard: MGA4TOO advisory => MGA4TOO advisory mga5-64-ok
Whiteboard: MGA4TOO advisory mga5-64-ok => MGA4TOO advisory has_procedure mga5-64-ok
(In reply to claire robinson from comment #4) > The rpm in 64bit is libunwind rather than lib64unwind. Is that expected? Yes, the SRPM name is libunwind, so the main package is creates is called that. lib64 stuff is only for library subpackages. > libunwind is required by perf. Ahh, that makes sense, and explains why kernel-linus doesn't need it. Thanks.
Testing Mageia 4 x64 Thanks for Claire's intervention Comment 4. BEFORE: libunwind-1.1-2.mga4 # perf bench mem memcpy # Running 'mem/memcpy' benchmark: # Copying 1MB Bytes ... 993.048659 MB/Sec 951.474786 MB/Sec (with prefault) AFTER: libunwind-1.1-2.1.mga4 # perf bench mem memcpy # Running 'mem/memcpy' benchmark: # Copying 1MB Bytes ... 1.086276 GB/Sec 951.474786 MB/Sec (with prefault) i.e. it still works, the update deemed OK.
Whiteboard: MGA4TOO advisory has_procedure mga5-64-ok => MGA4TOO advisory has_procedure mga5-64-ok MGA4-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0307.html
Status: NEW => RESOLVEDResolution: (none) => FIXED