17087 – util-linux new security issue CVE-2015-5218

Bug 17087 - util-linux new security issue CVE-2015-5218

Summary: util-linux new security issue CVE-2015-5218

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/663071/
Whiteboard:	has_procedure MGA5-64-OK MGA5-32-OK a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-11-04 20:00 CET by David Walser
Modified:	2015-11-05 23:47 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	util-linux-2.25.2-3.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Test file for colcrt (314 bytes, application/octet-stream) 2015-11-04 23:26 CET, Len Lawrence	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-11-04 20:00:54 CET

OpenSuSE has issued an advisory today (November 4):
http://lists.opensuse.org/opensuse-updates/2015-11/msg00035.html

The OpenSuSE bug has PoC information:
https://bugzilla.suse.com/show_bug.cgi?id=949754

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated util-linux packages fix security vulnerability:

A buffer overflow in the colcrt command in util-linux can lead to a crash
when given a large input (CVE-2015-5218).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5218
http://lists.opensuse.org/opensuse-updates/2015-11/msg00035.html
========================

Updated packages in core/updates_testing:
========================
util-linux-2.25.2-3.2.mga5
libblkid1-2.25.2-3.2.mga5
libblkid-devel-2.25.2-3.2.mga5
libuuid1-2.25.2-3.2.mga5
libuuid-devel-2.25.2-3.2.mga5
uuidd-2.25.2-3.2.mga5
python-libmount-2.25.2-3.2.mga5
libmount1-2.25.2-3.2.mga5
libmount-devel-2.25.2-3.2.mga5
libsmartcols1-2.25.2-3.2.mga5
libsmartcols-devel-2.25.2-3.2.mga5

from util-linux-2.25.2-3.2.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 Len Lawrence 2015-11-04 23:26:05 CET

Created attachment 7183 [details]
Test file for colcrt

CC: (none) => tarazed25

Comment 2 Len Lawrence 2015-11-04 23:30:09 CET

4.1.12-desktop-1.mga5  x86_64 
Downloaded the test file from the PoC link provided.
$ colcrt  binZ8dhbQ3bFM.bin
Segmentation fault

Updated to the packages listed above, leaving out the development packages.

Ran the same command - no seg fault.
Adding the 64-bit OK.

Len Lawrence 2015-11-04 23:30:45 CET

Whiteboard: (none) => has_procedure MGA5-64-OK

Comment 3 Len Lawrence 2015-11-05 00:30:14 CET

Switched to 32-bit architecture on a VM.
4.1.12-desktop-1.mga5

Tried the PoC as before and received a segfault.
Updated the seven packages (left out devel packages).
No segfault for the same test.

Ran it again under strace to see what was going on and it all looked above board.
The last few lines indicate a successful read on file id 3 which returned the size of the file in bytes and then a normal close.
read(3, "_\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\27\0\20\27\27\27\27\27\27"..., 4096) = 314
close(3)                                = 0

Good for 32-bits.

Len Lawrence 2015-11-05 00:30:44 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Dave Hodgins 2015-11-05 22:30:50 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2015-11-05 23:47:08 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0434.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.