Bug 17394 - glibc new security issues fixed upstream in 2.23 and more
Summary: glibc new security issues fixed upstream in 2.23 and more
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/669159/
Whiteboard: has_procedure advisory mga5-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-12-24 17:35 CET by David Walser
Modified: 2016-02-19 09:59 CET (History)
6 users (show)

See Also:
Source RPM: glibc-2.20-20.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-12-24 17:35:19 CET
OpenSuSE has issued an advisory today (December 24):
http://lists.opensuse.org/opensuse-updates/2015-12/msg00106.html

Thomas already included the patch for this in Cauldron.

All details are on the SuSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=950944

This is a minor issue, so you could queue the fix for this for a future update.

Reproducible: 

Steps to Reproduce:
David Walser 2015-12-24 19:44:06 CET

URL: (none) => http://lwn.net/Vulnerabilities/669159/

Comment 1 David Walser 2016-01-19 19:46:11 CET
glibc 2.23 fixes this issue and four others.  CVE request:
http://openwall.com/lists/oss-security/2016/01/19/11
Comment 2 David Walser 2016-01-20 17:53:03 CET
CVE assignments have been made here:
http://openwall.com/lists/oss-security/2016/01/20/1

There seems to be a difference of opinion as to what constitutes a security vulnerability in glibc.  Interesting.  Anyway, it sounds like probably none of these are serious.

CVE assignments are:
BZ #18985 - CVE-2015-8776
BZ #18928 - CVE-2015-8777
BZ #18240 - CVE-2015-8778
BZ #16962 - CVE-2014-9761
BZ #17905 - CVE-2015-8779

Summary: glibc new security issue fixed upstream in 2.23 [BZ #18928] => glibc new security issues fixed upstream in 2.23

Comment 3 David Walser 2016-02-09 18:31:26 CET
LWN reference for some of the new CVEs:
http://lwn.net/Vulnerabilities/674835/

Debian-LTS has issued an advisory for this on February 5:
http://lwn.net/Alerts/674800/
Comment 4 David Walser 2016-02-16 17:15:17 CET
RedHat has issued an advisory today (February 16):
https://rhn.redhat.com/errata/RHSA-2016-0176.html

CVE-2015-7547 is critical and likely affects us.  CVE-2015-5229 is low severity and may not affect us, I'm not sure.

Summary: glibc new security issues fixed upstream in 2.23 => glibc new security issues fixed upstream in 2.23 and more
Severity: normal => critical

Comment 5 David Walser 2016-02-16 17:23:09 CET
Debian has issued an advisory for some of these CVEs today (February 16):
https://lists.debian.org/debian-security-announce/2016/msg00051.html
https://www.debian.org/security/2016/dsa-3481
Comment 6 David Walser 2016-02-16 20:23:03 CET
LWN reference for CVE-2015-7547:
http://lwn.net/Vulnerabilities/675830/
Comment 7 David Walser 2016-02-16 20:37:25 CET
From the Google blog post, PoC for CVE-2015-7547:
https://github.com/fjserna/CVE-2015-7547
Comment 8 David Walser 2016-02-17 16:40:19 CET
OpenSuSE has issued an advisory for several CVEs today (February 17):
http://lists.opensuse.org/opensuse-updates/2016-02/msg00103.html
Comment 9 David Walser 2016-02-17 20:45:22 CET
LWN reference for CVE-2015-5229:
http://lwn.net/Vulnerabilities/676082/
claire robinson 2016-02-18 12:09:46 CET

CC: (none) => eeeemail

Comment 10 Nicolas Lécureuil 2016-02-18 16:50:27 CET
what about this one ?  is someone working on it ?

CC: (none) => mageia

Comment 11 Florian Hubold 2016-02-18 20:53:25 CET
(In reply to Nicolas Lécureuil from comment #10)
> what about this one ?  is someone working on it ?

Seems it has been fixed for Cauldron already via http://svnweb.mageia.org/packages?view=revision&revision=966898

And well, nobody changed the bug into ASSIGNED state, so probably noone working on it for mga5, I'd guess. But we should really get a fix out at the very least for CVE-2015-7547 urgently. Although it's probably not a good idea to hastily update to 2.23 IMHO.

Upstream fix from 2.21 branch doesn't apply cleanly:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=16d0a0ce7613552301786bf05d7eba8784b5732c
But FWIW, seems someone already rediffed the upstream patch for glibc 2.20:
https://gist.github.com/sstiller/d277b77a3b60805f9d7b

CC: (none) => doktor5000

Comment 12 Thomas Backlund 2016-02-18 20:55:30 CET
Work is in progress

Status: NEW => ASSIGNED

Comment 13 Thomas Backlund 2016-02-19 06:57:14 CET
CVE-2015-5229 is RH feature backport specific, so not for us


Advisory:
Updated glibc fixes the following security issues:

A stack overflow (unbounded alloca) could have caused applications which
process long strings with the nan function to crash or, potentially,
execute arbitrary code (CVE-2014-9761).

A stack-based buffer overflow in getaddrinfo allowed remote attackers
to cause a crash or execute arbitrary code via crafted and timed DNS
responses (CVE-2015-7547).

Out-of-range time values passed to the strftime function may cause it
to crash, leading to a denial of service, or potentially disclosure
information (CVE-2015-8776).

Insufficient checking of LD_POINTER_GUARD environment variable allowed
local attackers to bypass the pointer guarding protection of the dynamic
loader on set-user-ID and set-group-ID programs (CVE-2015-8777).

Integer overflow in hcreate and hcreate_r could have caused an out-of-bound
memory access. leading to application crashes or, potentially, arbitrary 
code execution (CVE-2015-8778).

A stack overflow (unbounded alloca) in the catopen function could have
caused applications which pass long strings to the catopen function to
crash or, potentially execute arbitrary code (CVE-2015-8779).



SRPM:
glibc-2.20-21.mga5.src.rpm

i586:
glibc-2.20-21.mga5.i586.rpm
glibc-devel-2.20-21.mga5.i586.rpm
glibc-doc-2.20-21.mga5.noarch.rpm
glibc-i18ndata-2.20-21.mga5.i586.rpm
glibc-profile-2.20-21.mga5.i586.rpm
glibc-static-devel-2.20-21.mga5.i586.rpm
glibc-utils-2.20-21.mga5.i586.rpm
nscd-2.20-21.mga5.i586.rpm

x86_64:
glibc-2.20-21.mga5.x86_64.rpm
glibc-devel-2.20-21.mga5.x86_64.rpm
glibc-doc-2.20-21.mga5.noarch.rpm
glibc-i18ndata-2.20-21.mga5.x86_64.rpm
glibc-profile-2.20-21.mga5.x86_64.rpm
glibc-static-devel-2.20-21.mga5.x86_64.rpm
glibc-utils-2.20-21.mga5.x86_64.rpm
nscd-2.20-21.mga5.x86_64.rpm

Hardware: i586 => All
Assignee: tmb => qa-bugs

Comment 14 Ben McMonagle 2016-02-19 08:26:44 CET
updated system to latest, 
then installed: 

glibc-2.20-21.mga5.i586.rpm
nscd-2.20-21.mga5.i586.rpm

rebooted, no issues noted

CC: (none) => westel

Comment 15 claire robinson 2016-02-19 09:06:04 CET
Tested mga5 64

Installed updates, rebooted. Checked the interwebs.

Confirmed patches applied, line 330 - 343 & 577-584.
http://svnweb.mageia.org/packages/updates/5/glibc/current/SPECS/glibc.spec?view=markup&pathrev=967476

Validating. Will upload advisory shortly.

Whiteboard: (none) => has_procedure mga5-32-ok mga5-64-ok

Comment 16 David GEIGER 2016-02-19 09:09:52 CET
Tested mga5_64,

Testing complete for new glibc-2.20-21.mga5, all seems to work properly here too.

CC: (none) => geiger.david68210

Comment 17 claire robinson 2016-02-19 09:12:55 CET
Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure advisory mga5-32-ok mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2016-02-19 09:41:14 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0079.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 19 claire robinson 2016-02-19 09:59:38 CET
Just to have this on record - 3 hours from building to testing and release.

Thanks everybody for availing your time to this priority update.

Note You need to log in before you can comment on or make changes to this bug.