Bug 19844 - gc new security issue CVE-2016-9427
Summary: gc new security issue CVE-2016-9427
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/707357/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-25 19:53 CET by David Walser
Modified: 2017-06-08 23:40 CEST (History)
4 users (show)

See Also:
Source RPM: gc-7.4.2-7.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-11-25 19:53:13 CET 
Debian-LTS has issued an advisory today (November 25):
https://lwn.net/Alerts/707332/

Information about the fixes in the Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844771

Mageia 5 is also affected.
David Walser 2016-11-25 19:53:25 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-25 20:32:01 CET 
Assigning to the registered maintainer of gc

CC: (none) => marja11
Assignee: bugsquad => luis.daniel.lucio

Comment 2 David Walser 2017-06-04 20:38:17 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated gc packages fix security vulnerability:

Kuang-che Wu discovered that multiple integer overflow vulnerabilities existed
in libgc. An attacker could use these to cause a denial of service (application
crash) or possibly execute arbitrary code (CVE-2016-9427).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9427
https://www.ubuntu.com/usn/usn-3197-1/
========================

Updated packages in core/updates_testing:
========================
libgc1-7.4.2-3.1.mga5
libgc-devel-7.4.2-3.1.mga5

from gc-7.4.2-3.1.mga5.src.rpm

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5
Assignee: luis.daniel.lucio => qa-bugs

Comment 3 Len Lawrence 2017-06-05 11:42:26 CEST 
Testing on x86_64, Mate, real hardware.

It looks like libgc is a garbage collector used as a replacement for malloc in C and C++.
The CVE link leads to http://www.openwall.com/lists/oss-security/2016/11/18/3 which lists many issues affecting w3m which is a text-based web browser, CVE-2016-9427 amongst them.   w3m is a text-based web browser supported by Mageia but there do not appear to be any other applications which require this library.

Installed w3m and tried it out:
$ w3m http://exoplanet.eu

That brought up the pager OK.  Q to exit.
Running under strace is not very satisfactory as all the text output goes to the trace file.  At least it shows that libgc is being used.

$ cat w3m.trace | grep gc
open("/usr/lib64/libgc.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "/lib64/libgc.so.1.0.3\n7fe0ba6060"..., 1024) = 1024
getcwd("/home/lcl/qa/libgc", 4096)      = 19

Installed the two update packages and ran w3m again.  The navigation commands worked and it was possible to follow hyperlinks.
Another site: https://apod.nasa.gov/apod/astropix.html displayed an image in the terminal including colours and pressing return while the cursor was on the image brought up gqview (my default image viewer) with the same image.

Passing this for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2017-06-05 11:42:43 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 4 Dave Hodgins 2017-06-07 04:58:52 CEST 
Similar testing on i586. Advisory committed to svn. Validating the update.

CC: (none) => davidwhodgins
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Dave Hodgins 2017-06-07 04:59:33 CEST

Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-06-08 23:40:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0157.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.