A security issue fixed upstream in util-linux has been announced today (July 11): http://openwall.com/lists/oss-security/2016/07/11/2 Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated util-linux packages fix security vulnerability: The util-linux libblkid is vulnerable to a Denial of Service attack during MSDOS partition table parsing, in the extended partition boot record (EBR). If the next EBR starts at relative offset 0, parse_dos_extended() will loop until running out of memory. An attacker could install a specially crafted MSDOS partition table in a storage device and trick a user into using it. This library is used, among others, by systemd-udevd daemon (CVE-2016-5011). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011 http://openwall.com/lists/oss-security/2016/07/11/2 ======================== Updated packages in core/updates_testing: ======================== util-linux-2.25.2-3.3.mga5 libblkid1-2.25.2-3.3.mga5 libblkid-devel-2.25.2-3.3.mga5 libuuid1-2.25.2-3.3.mga5 libuuid-devel-2.25.2-3.3.mga5 uuidd-2.25.2-3.3.mga5 python-libmount-2.25.2-3.3.mga5 libmount1-2.25.2-3.3.mga5 libmount-devel-2.25.2-3.3.mga5 libsmartcols1-2.25.2-3.3.mga5 libsmartcols-devel-2.25.2-3.3.mga5 from util-linux-2.25.2-3.3.mga5.src.rpm
The initial fix was incomplete: http://openwall.com/lists/oss-security/2016/07/12/6 Second patch added and packages rebuilt. Updated packages in core/updates_testing: ======================== util-linux-2.25.2-3.4.mga5 libblkid1-2.25.2-3.4.mga5 libblkid-devel-2.25.2-3.4.mga5 libuuid1-2.25.2-3.4.mga5 libuuid-devel-2.25.2-3.4.mga5 uuidd-2.25.2-3.4.mga5 python-libmount-2.25.2-3.4.mga5 libmount1-2.25.2-3.4.mga5 libmount-devel-2.25.2-3.4.mga5 libsmartcols1-2.25.2-3.4.mga5 libsmartcols-devel-2.25.2-3.4.mga5 from util-linux-2.25.2-3.4.mga5.src.rpm
Testing complete mga5 64 Checked rpmdiff on madb, numerous patches applied. # urpmi util-linux lib64blkid1 lib64uuid1 uuidd python-libmount lib64mount1 lib64smartcols1 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing") lib64blkid-devel 2.25.2 3.4.mga5 x86_64 lib64blkid1 2.25.2 3.4.mga5 x86_64 lib64mount1 2.25.2 3.4.mga5 x86_64 lib64smartcols1 2.25.2 3.4.mga5 x86_64 lib64uuid1 2.25.2 3.4.mga5 x86_64 python-libmount 2.25.2 3.4.mga5 x86_64 util-linux 2.25.2 3.4.mga5 x86_64 uuidd 2.25.2 3.4.mga5 x86_64 124KB of additional disk space will be used. 2.1MB of packages will be retrieved. Proceed with the installation of the 8 packages? (Y/n) y Ran blkid to ensure sane output as the patch affects libblkid. Checked uuidd could be started.. # systemctl start uuidd.service # systemctl status uuidd.service รข uuidd.service - Daemon for generating UUIDs Loaded: loaded (/usr/lib/systemd/system/uuidd.service; static) Active: active (running) since Thu 2016-07-14 16:59:50 BST; 1s ago Tested a few commands from the list.. # urpmf util-linux | grep bin Finally rebooted to check for anything odd. Nothing odd noticed.
Whiteboard: (none) => has_procedure mga5-64-ok
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0256.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/694627/