Bug 20803 - glibc new security issues CVE-2017-8804 and CVE-2017-1000366
Summary: glibc new security issues CVE-2017-8804 and CVE-2017-1000366
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-08 03:36 CEST by David Walser
Modified: 2017-06-26 23:46 CEST (History)
9 users (show)

See Also:
Source RPM: glibc-2.22-24.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-08 03:36:09 CEST 
The recently reported security issue in rpcbind/libtirpc also affects glibc:
http://openwall.com/lists/oss-security/2017/05/07/3

The message above contains a link to a patch.
David Walser 2017-05-08 03:36:18 CEST

Whiteboard: (none) => MGA5TOO

Marja Van Waes 2017-05-08 10:35:58 CEST

CC: (none) => marja11, tmb
Assignee: bugsquad => basesystem

Comment 1 Thomas Backlund 2017-05-09 19:00:46 CEST 
Will hold this one back for now... upstream is still debating what and how to fix properly
Comment 2 David Walser 2017-06-24 00:50:25 CEST 
RedHat has issued an advisory on June 19:
https://rhn.redhat.com/errata/RHSA-2017-1481.html

This is the highly publicized Stack Clash issue, which also has a kernel component.  I'm not sure if there's been any debate about the glibc fixes, but there has been about the kernel fixes.  Apparently the fix RedHat and Ubuntu used causes more issues.  Upstream has better fixes that they are working on backporting to stable kernels.  I'm not sure if they've gotten to 4.4 and 4.9 yet.

Summary: glibc new security issue CVE-2017-8804 => glibc new security issues CVE-2017-8804 and CVE-2017-1000366

Comment 3 David Walser 2017-06-24 16:42:56 CEST 
glibc-2.22-25.mga6 uploaded for Cauldron by Thomas, fixing these.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2017-06-24 18:25:57 CEST 
Thomas has informed me that a glibc build to fix these for Mageia 5 is available, and that the kernel should hopefully be addressed in the next couple of days (pending completion of the fixes upstream).

Advisory:
========================

Updated glibc packages fix security vulnerabilities:

The sunrpc implementation in glibc is vulnerable to a flaw that can cause it to
be triggered to allocate additional memory until it causes a crash, similar to
CVE-2017-8779 (CVE-2017-8804).

A flaw was found in the way memory was being allocated on the stack for user
space binaries. If heap (or different memory region) and stack memory regions
were adjacent to each other, an attacker could use this flaw to jump over the
stack guard gap, cause controlled memory corruption on process stack or the
adjacent memory region, and thus increase their privileges on the system. This
is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs
running in secure-execution mode and reduces the number of allocations performed
by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful
exploitation of this issue more difficult (CVE-2017-1000366).

The CVE-2017-1000366 issue is part of a set of issues known as Stack Clash.  The
fixes have components in both glibc and the kernel.  The kernel fix will be
included in a separate update advisory.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
http://openwall.com/lists/oss-security/2017/05/07/3
https://rhn.redhat.com/errata/RHSA-2017-1481.html
========================

Updated packages in core/updates_testing:
========================
glibc-2.20-25.mga5
glibc-devel-2.20-25.mga5
glibc-static-devel-2.20-25.mga5
glibc-profile-2.20-25.mga5
nscd-2.20-25.mga5
glibc-utils-2.20-25.mga5
glibc-i18ndata-2.20-25.mga5
glibc-doc-2.20-25.mga5

from glibc-2.20-25.mga5.src.rpm

Assignee: basesystem => qa-bugs

Comment 5 Thomas Backlund 2017-06-26 10:58:30 CEST 
Bumping status to critical

Status: NEW => ASSIGNED
Priority: Normal => High
Severity: normal => critical

Comment 6 James Kerr 2017-06-26 12:21:39 CEST 
On mga5-64
Packages updated cleanly:

nscd-2.20-25.mga5
glibc-2.20-25.mga5

System re-booted normally
No regressions noted

Looks OK for mga5-64 on this system:

Dell product: Precision Tower 3620
Mobo: Dell model: 09WH54 
Card: Intel HD Graphics 530
CPU: Quad core Intel Core i7-6700

CC: (none) => jim

Comment 7 José Jorge 2017-06-26 12:29:49 CEST 
On MGA5-32 , install and reboot ok.

CC: (none) => lists.jjorge

Comment 8 Len Lawrence 2017-06-26 12:55:33 CEST 
Installed these on x86_64 hardware and rebooted.

Clean install but do not know how to test but had a look at memusage.

$ memusage --progname=xine xine HowtoVideoPodcast.m4v

Memory usage summary: heap total: 53901215, heap peak: 10167195, stack peak: 286016
         total calls   total memory   failed calls
 malloc|      51332       41532103              0
realloc|        793        1203480              0  (nomove:349, dec:2, free:0)
 calloc|      21632       11165632              0
   free|     158388       50111471
Histogram for block sizes:
    0-15           9168  12% =====================
   16-31          21766  29% ==================================================
   32-47          13057  17% =============================
   48-63           2606   3% =====
   64-79          10725  14% ========================
.............................
43776-43791           4  <1% 
45040-45055           1  <1% 
50960-50975           1  <1% 
57728-57743           2  <1% 
61440-61455           1  <1% 
   large             62  <1% 

Looks like a fair test but leaving this for others to follow up.

CC: (none) => tarazed25

Comment 9 James Kerr 2017-06-26 12:58:16 CEST 
On mga5-32 - in a vbox VM

Packages updated cleanly:

- glibc-2.20-25.mga5.i586
- glibc-devel-2.20-25.mga5.i586
- nscd-2.20-25.mga5.i586

VM re-booted normally - no regressions noted

looks OK for mga5-32
Comment 10 Brian Rockwell 2017-06-26 15:29:03 CEST 

‎Intel(R) Core(TM) i3 CPU
Intel 810 and late
‎RTL8191SEvB Wireless LAN Controller


$ uname -a
Linux localhost.localdomain 4.4.68-desktop586-1.mga5 #1 SMP Sun May 14 17:55:26 UTC 2017 i686 i686 i686 GNU/Linux


Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.

The following package is going to be installed:

- glibc-2.20-25.mga5.i586

4KB of additional disk space will be used.

3.7MB of packages will be retrieved.

Is it ok to continue?

Rebooted after installation - no issues

CC: (none) => brtians1

Comment 11 Morgan Leijström 2017-06-26 17:07:29 CEST 
i586 glibc and kernel-desktop OK:
HW: Thinkpad T40, SSD, Radeon 7500, ipw2200.
Install:  separate /boot, rest LVM, KDE4
Clean install, boot, suspend-resume, hibernate-resume OK incl resuming playing video from internet on wifi (old quirk is that after resume display is grey; login screen get visible when i move mouse), good performance.

CC: (none) => fri

Comment 12 Marja Van Waes 2017-06-26 17:45:23 CEST 
on an old ThinkPad https://wiki.mageia.org/en/User:Marja/QA/Hardware#Lenovo_ThinkPad_SL510

Updated kernel, glibc and microcode:

cpupower-4.4.74-1.mga5.x86_64                 Mon 26 Jun 2017 15:26:39 CEST
glibc-2.20-25.mga5.x86_64                     Mon 26 Jun 2017 15:26:06 CEST
glibc-devel-2.20-25.mga5.x86_64               Mon 26 Jun 2017 15:26:12 CEST
kernel-desktop-4.4.74-1.mga5-1-1.mga5.x86_64  Mon 26 Jun 2017 15:26:32 CEST
kernel-desktop-latest-4.4.74-1.mga5.x86_64    Mon 26 Jun 2017 15:26:35 CEST
kernel-userspace-headers-4.4.74-1.mga5.x86_64 Mon 26 Jun 2017 15:26:36 CEST
microcode-0.20170511-1.mga5.nonfree.noarch    Mon 26 Jun 2017 15:26:40 CEST
nscd-2.20-25.mga5.x86_64                      Mon 26 Jun 2017 15:26:41 CEST

After reboot and until now, everything works fine, apart from an old issue that already existed before.
Comment 13 Lewis Smith 2017-06-26 19:46:21 CEST 
Testing M5_64 real hardware

 glibc-devel-2.20-25.mga5
 glibc-2.20-25.mga5

Tried minimally the 4.4.74 Desktop & Linus kernels with this glibc, no problems seen; looks OK.

CC: (none) => lewyssmith

Comment 14 Thomas Backlund 2017-06-26 21:40:02 CEST 
advisory added to svn.

This has now been running on mageia infra for 8 hours on some nodes, and ~4 hours on other nodes

Whiteboard: (none) => advisory

Comment 15 Thomas Backlund 2017-06-26 23:07:37 CEST 

Looks good enough... validating to get it out

Whiteboard: advisory => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2017-06-26 23:46:18 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0184.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.