Bug 18440 - glibc new security issues CVE-2016-1234, CVE-2016-3075, and CVE-2016-3706
Summary: glibc new security issues CVE-2016-1234, CVE-2016-3075, and CVE-2016-3706
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/687047/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-05-11 21:18 CEST by David Walser
Modified: 2016-05-24 00:01 CEST (History)
2 users (show)

See Also:
Source RPM: glibc-2.20-21.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Thomas Backlund 2016-05-11 21:57:11 CEST 
Cauldron fixed with  glibc-2.22-17.mga6
Comment 2 David Walser 2016-05-13 19:14:50 CEST 
Fedora has issued an advisory on May 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WENVYEYN5OSQXJQV7L4TQOKH3BODV6PB/

This fixes an additional issue, CVE-2016-3706.

Thomas has already fixed this in Cauldron.

from http://lwn.net/Vulnerabilities/687400/

Summary: glibc new security issues CVE-2016-1234 and CVE-2016-3075 => glibc new security issues CVE-2016-1234, CVE-2016-3075, and CVE-2016-3706

Comment 3 David Walser 2016-05-22 21:16:33 CEST 
Patched package uploaded for Mageia 5 by Thomas.

Advisory:
========================

Updated glibc packages fix security vulnerabilities:

It was found that glob implementation in glibc does not correctly handle
overlong names in struct dirent buffers when GLOB_ALTDIRFUNC is used, causing
large stack-based buffer overflow with controlled length and content
(CVE-2016-1234).

A stack overflow vulnerability (unbounded allocation) in
_nss_dns_getnetbyname_r function was found (CVE-2016-3075).

stack (frame) overflow in getaddrinfo() when called with AF_INET, AF_INET6
(incomplete fix for CVE-2013-4458) (CVE-2016-3706).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3706
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ICIY2WE4MCXHRVFZPY24JZKPAXG4PDIZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WENVYEYN5OSQXJQV7L4TQOKH3BODV6PB/
========================

Updated packages in core/updates_testing:
========================
glibc-2.20-22.mga5
glibc-devel-2.20-22.mga5
glibc-static-devel-2.20-22.mga5
glibc-profile-2.20-22.mga5
nscd-2.20-22.mga5
glibc-utils-2.20-22.mga5
glibc-i18ndata-2.20-22.mga5
glibc-doc-2.20-22.mga5

from glibc-2.20-22.mga5.src.rpm

CC: (none) => tmb
Assignee: tmb => qa-bugs

Comment 4 David Walser 2016-05-22 21:21:58 CEST 
PoC for CVE-2016-1234 here:
https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2016-1234

Whiteboard: (none) => has_procedure

Comment 5 David Walser 2016-05-23 01:18:39 CEST 
Followed the procedure on the upstream bug and got a Segmentation fault before the update, and no segfault after the update, Mageia 5 i586 and x86_64.

Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK

Comment 6 David Walser 2016-05-23 02:43:06 CEST 
Advisory added in SVN.  Perhaps someone could check the formatting.

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 7 claire robinson 2016-05-23 21:49:00 CEST 
All good, thanks. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2016-05-24 00:01:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0206.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.