Bug 16375 - libunwind new security issue CVE-2015-3239
Summary: libunwind new security issue CVE-2015-3239
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/650889/
Whiteboard: MGA4TOO advisory has_procedure mga5-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-07-13 19:43 CEST by David Walser
Modified: 2015-08-10 16:33 CEST (History)
4 users (show)

See Also:
Source RPM: libunwind-1.1-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-07-13 19:43:33 CEST
Debian-LTS has issued an advisory on July 12:
http://lwn.net/Alerts/650875/

RedHat has a link to the upstream commit (and bug report) to fix the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3239

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-07-13 19:43:48 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-21 18:06:43 CEST
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

This package is only used for building our kernel package.

Advisory:
========================

Updated libunwind packages fix security vulnerability:

An invalid DW_OP_bregXX opcodes can access dwarf_to_unw_regnum_map one item
past the end (CVE-2015-3239).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3239
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162200.html
========================

Updated packages in core/updates_testing:
========================
libunwind-1.1-2.1.mga4
libunwind-devel-1.1-2.1.mga4
libunwind-1.1-4.1.mga5
libunwind-devel-1.1-4.1.mga5

from SRPMS:
libunwind-1.1-2.1.mga4.src.rpm
libunwind-1.1-4.1.mga5.src.rpm

Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
CC: (none) => tmb
Version: Cauldron => 5
Assignee: tmb => qa-bugs

Dave Hodgins 2015-07-28 16:15:48 CEST

Whiteboard: MGA4TOO => MGA4TOO advisory
CC: (none) => davidwhodgins

Comment 2 Lewis Smith 2015-07-28 21:03:20 CEST
(In reply to David Walser from comment #1)

> This package is only used for building our kernel package.
In which case, can it be tested otherwise? Or does it need to be tested by someone who builds kernels? If the latter, how do we organise this?

CC: (none) => lewyssmith

Comment 3 David Walser 2015-07-28 21:29:58 CEST
Thomas could validate this himself if he wanted, but otherwise anyone can test building the kernel package from our SVN or Source RPM.

For instance, if you have rpm-build, bm, and mgarepo installed, you should be able to do:
mgarepo co -d 5 kernel
cd kernel
./build_sources
bm -ls
su -c 'urpmi SRPMS/kernel*.rpm'
bm -l

You're probably OK if it builds fine, but you could test one of the built kernels too if you wanted.  I'm not sure exactly what libunwind is used for in our kernel built process, especially since the kernel-linus package didn't also BuildRequire it.
Comment 4 claire robinson 2015-07-29 13:35:10 CEST
Testing complete mga5 64

The rpm in 64bit is libunwind rather than lib64unwind. Is that expected?

libunwind is required by perf.

# urpmq --whatrequires libunwind
libunwind
libunwind-devel
libunwind-devel
perf
weston

Tested as below

# perf bench mem memcpy

# Running 'mem/memcpy' benchmark:
# Copying 1MB Bytes ...

       2.618130 GB/Sec
       1.593087 GB/Sec (with prefault)

Whiteboard: MGA4TOO advisory => MGA4TOO advisory mga5-64-ok

claire robinson 2015-07-29 13:36:06 CEST

Whiteboard: MGA4TOO advisory mga5-64-ok => MGA4TOO advisory has_procedure mga5-64-ok

Comment 5 David Walser 2015-07-29 14:05:03 CEST
(In reply to claire robinson from comment #4)
> The rpm in 64bit is libunwind rather than lib64unwind. Is that expected?

Yes, the SRPM name is libunwind, so the main package is creates is called that.  lib64 stuff is only for library subpackages.

> libunwind is required by perf.

Ahh, that makes sense, and explains why kernel-linus doesn't need it.  Thanks.
Comment 6 Lewis Smith 2015-08-02 21:50:00 CEST
Testing Mageia 4 x64

Thanks for Claire's intervention Comment 4.
BEFORE: libunwind-1.1-2.mga4
# perf bench mem memcpy
# Running 'mem/memcpy' benchmark:
# Copying 1MB Bytes ...
     993.048659 MB/Sec
     951.474786 MB/Sec (with prefault)

AFTER: libunwind-1.1-2.1.mga4
# perf bench mem memcpy
# Running 'mem/memcpy' benchmark:
# Copying 1MB Bytes ...
       1.086276 GB/Sec
     951.474786 MB/Sec (with prefault)

i.e. it still works, the update deemed OK.

Whiteboard: MGA4TOO advisory has_procedure mga5-64-ok => MGA4TOO advisory has_procedure mga5-64-ok MGA4-64-OK

Dave Hodgins 2015-08-10 05:50:51 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-08-10 16:33:06 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0307.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.