The recently reported security issue in rpcbind/libtirpc also affects glibc:
The message above contains a link to a patch.
Will hold this one back for now... upstream is still debating what and how to fix properly
RedHat has issued an advisory on June 19:
This is the highly publicized Stack Clash issue, which also has a kernel component. I'm not sure if there's been any debate about the glibc fixes, but there has been about the kernel fixes. Apparently the fix RedHat and Ubuntu used causes more issues. Upstream has better fixes that they are working on backporting to stable kernels. I'm not sure if they've gotten to 4.4 and 4.9 yet.
glibc new security issue CVE-2017-8804 =>
glibc new security issues CVE-2017-8804 and CVE-2017-1000366
glibc-2.22-25.mga6 uploaded for Cauldron by Thomas, fixing these.
Thomas has informed me that a glibc build to fix these for Mageia 5 is available, and that the kernel should hopefully be addressed in the next couple of days (pending completion of the fixes upstream).
Updated glibc packages fix security vulnerabilities:
The sunrpc implementation in glibc is vulnerable to a flaw that can cause it to
be triggered to allocate additional memory until it causes a crash, similar to
A flaw was found in the way memory was being allocated on the stack for user
space binaries. If heap (or different memory region) and stack memory regions
were adjacent to each other, an attacker could use this flaw to jump over the
stack guard gap, cause controlled memory corruption on process stack or the
adjacent memory region, and thus increase their privileges on the system. This
is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs
running in secure-execution mode and reduces the number of allocations performed
by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful
exploitation of this issue more difficult (CVE-2017-1000366).
The CVE-2017-1000366 issue is part of a set of issues known as Stack Clash. The
fixes have components in both glibc and the kernel. The kernel fix will be
included in a separate update advisory.
Updated packages in core/updates_testing:
Bumping status to critical
Packages updated cleanly:
System re-booted normally
No regressions noted
Looks OK for mga5-64 on this system:
Dell product: Precision Tower 3620
Mobo: Dell model: 09WH54
Card: Intel HD Graphics 530
CPU: Quad core Intel Core i7-6700
On MGA5-32 , install and reboot ok.
Installed these on x86_64 hardware and rebooted.
Clean install but do not know how to test but had a look at memusage.
$ memusage --progname=xine xine HowtoVideoPodcast.m4v
Memory usage summary: heap total: 53901215, heap peak: 10167195, stack peak: 286016
total calls total memory failed calls
malloc| 51332 41532103 0
realloc| 793 1203480 0 (nomove:349, dec:2, free:0)
calloc| 21632 11165632 0
free| 158388 50111471
Histogram for block sizes:
0-15 9168 12% =====================
16-31 21766 29% ==================================================
32-47 13057 17% =============================
48-63 2606 3% =====
64-79 10725 14% ========================
43776-43791 4 <1%
45040-45055 1 <1%
50960-50975 1 <1%
57728-57743 2 <1%
61440-61455 1 <1%
large 62 <1%
Looks like a fair test but leaving this for others to follow up.
On mga5-32 - in a vbox VM
Packages updated cleanly:
VM re-booted normally - no regressions noted
looks OK for mga5-32
Intel(R) Core(TM) i3 CPU
Intel 810 and late
RTL8191SEvB Wireless LAN Controller
$ uname -a
Linux localhost.localdomain 4.4.68-desktop586-1.mga5 #1 SMP Sun May 14 17:55:26 UTC 2017 i686 i686 i686 GNU/Linux
Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.
The following package is going to be installed:
4KB of additional disk space will be used.
3.7MB of packages will be retrieved.
Is it ok to continue?
Rebooted after installation - no issues
i586 glibc and kernel-desktop OK:
HW: Thinkpad T40, SSD, Radeon 7500, ipw2200.
Install: separate /boot, rest LVM, KDE4
Clean install, boot, suspend-resume, hibernate-resume OK incl resuming playing video from internet on wifi (old quirk is that after resume display is grey; login screen get visible when i move mouse), good performance.
on an old ThinkPad https://wiki.mageia.org/en/User:Marja/QA/Hardware#Lenovo_ThinkPad_SL510
Updated kernel, glibc and microcode:
cpupower-4.4.74-1.mga5.x86_64 Mon 26 Jun 2017 15:26:39 CEST
glibc-2.20-25.mga5.x86_64 Mon 26 Jun 2017 15:26:06 CEST
glibc-devel-2.20-25.mga5.x86_64 Mon 26 Jun 2017 15:26:12 CEST
kernel-desktop-4.4.74-1.mga5-1-1.mga5.x86_64 Mon 26 Jun 2017 15:26:32 CEST
kernel-desktop-latest-4.4.74-1.mga5.x86_64 Mon 26 Jun 2017 15:26:35 CEST
kernel-userspace-headers-4.4.74-1.mga5.x86_64 Mon 26 Jun 2017 15:26:36 CEST
microcode-0.20170511-1.mga5.nonfree.noarch Mon 26 Jun 2017 15:26:40 CEST
nscd-2.20-25.mga5.x86_64 Mon 26 Jun 2017 15:26:41 CEST
After reboot and until now, everything works fine, apart from an old issue that already existed before.
Testing M5_64 real hardware
Tried minimally the 4.4.74 Desktop & Linus kernels with this glibc, no problems seen; looks OK.
advisory added to svn.
This has now been running on mageia infra for 8 hours on some nodes, and ~4 hours on other nodes
Looks good enough... validating to get it out
advisory MGA5-32-OK MGA5-64-OKKeywords:
An update for this issue has been pushed to the Mageia Updates repository.