Bug 17375 - mono new security issue CVE-2009-0689
Summary: mono new security issue CVE-2009-0689
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/363745/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-12-21 21:15 CET by David Walser
Modified: 2016-01-14 02:45 CET (History)
4 users (show)

See Also:
Source RPM: mono-3.12.1-1.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-12-21 21:15:23 CET 
A security issue in Mono before version 4.2 has been announced today (December 21):
http://openwall.com/lists/oss-security/2015/12/19/3

The message above contains a link to a commit to fix the issue.

Reproducible: 

Steps to Reproduce:
David Walser 2015-12-21 21:15:38 CET

CC: (none) => rverschelde

Comment 1 David Walser 2015-12-30 22:44:45 CET 
Fedora has issued an advisory for this on December 29:
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174612.html

The fix is here:
https://gist.github.com/directhex/01e853567fd2cc74ed39

Apparently it's a high severity issue.

URL: (none) => http://lwn.net/Vulnerabilities/363745/
Severity: normal => critical

Comment 2 David Walser 2016-01-12 20:24:45 CET 
Patched package uploaded for Mageia 5. 

Note that there's a PoC in the message linked in Comment 0.

Advisory:
========================

Updated mono packages fix security vulnerability:

It was found that float-parsing code used in Mono before 4.2 is derived from
code vulnerable to CVE-2009-0689. The issue concerns the `freelist` array,
which is a global array of 16 pointers to `Bigint`. This array is part of a
memory allocation and reuse system which attempts to reduce the number of
`malloc` and `free` calls. The system allocates blocks in power-of-two sizes,
from 2^0 through 2^15, and stores freed blocks of each size in a linked list
rooted at the corresponding cell of `freelist`. The `Balloc` and `Bfree`
functions which operate this system fail to check if the size parameter `k` is
within the allocated 0..15 range. As a result, a sufficiently large allocation
will have k=16 and treat the word immediately after `freelist` as a pointer to
a previously-allocated chunk. The specific results may vary significantly based
on the version, platform, and compiler, since they depend on the layout of
variables in memory. An attacker who can cause a carefully-chosen string to be
converted to a floating-point number can cause a crash and potentially induce
arbitrary code execution.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689
http://openwall.com/lists/oss-security/2015/12/19/3
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174612.html
========================

Updated packages in core/updates_testing:
========================
mono-3.12.1-1.2.mga5
mono-doc-3.12.1-1.2.mga5
libmono0-3.12.1-1.2.mga5
libmono2.0_1-3.12.1-1.2.mga5
mono-data-sqlite-3.12.1-1.2.mga5
libmono-devel-3.12.1-1.2.mga5
mono-winfxcore-3.12.1-1.2.mga5
mono-web-3.12.1-1.2.mga5
mono-data-oracle-3.12.1-1.2.mga5
mono-data-3.12.1-1.2.mga5
mono-extras-3.12.1-1.2.mga5
mono-ibm-data-db2-3.12.1-1.2.mga5
mono-winforms-3.12.1-1.2.mga5
mono-locale-extras-3.12.1-1.2.mga5
mono-data-postgresql-3.12.1-1.2.mga5
mono-nunit-3.12.1-1.2.mga5
monodoc-core-3.12.1-1.2.mga5
mono-rx-core-3.12.1-1.2.mga5
mono-rx-desktop-3.12.1-1.2.mga5
mono-wcf-3.12.1-1.2.mga5

from mono-3.12.1-1.2.mga5.src.rpm

Assignee: matteo.pasotti => qa-bugs

Comment 3 William Kenney 2016-01-13 19:40:33 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
mono banshee ( mono installs with banshee install )

default install of mono & banshee

[root@localhost wilcal]# urpmi mono
Package mono-3.12.1-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi banshee
Package banshee-2.6.2-8.mga5.i586 is already installed

I can play an mp3 file with banshee.

install mono from updates_testing

[root@localhost wilcal]# urpmi mono
Package mono-3.12.1-1.2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi banshee
Package banshee-2.6.2-8.mga5.i586 is already installed

I can play an mp3 file with banshee.

CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK

Comment 4 William Kenney 2016-01-13 19:55:03 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
mono banshee ( mono installs with banshee install )

default install of mono & banshee

[root@localhost wilcal]# urpmi mono
Package mono-3.12.1-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi banshee
Package banshee-2.6.2-8.mga5.x86_64 is already installed

I can play an mp3 file with banshee.

install mono from updates_testing

[root@localhost wilcal]# urpmi mono
Package mono-3.12.1-1.2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi banshee
Package banshee-2.6.2-8.mga5.x86_64 is already installed

I can play an mp3 file with banshee.
William Kenney 2016-01-13 19:55:18 CET

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 5 William Kenney 2016-01-13 19:56:01 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-01-13 23:13:03 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 6 Mageia Robot 2016-01-14 02:45:25 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0013.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.