The recently reported security issue in rpcbind/libtirpc also affects glibc: http://openwall.com/lists/oss-security/2017/05/07/3 The message above contains a link to a patch.
Whiteboard: (none) => MGA5TOO
CC: (none) => marja11, tmbAssignee: bugsquad => basesystem
Will hold this one back for now... upstream is still debating what and how to fix properly
RedHat has issued an advisory on June 19: https://rhn.redhat.com/errata/RHSA-2017-1481.html This is the highly publicized Stack Clash issue, which also has a kernel component. I'm not sure if there's been any debate about the glibc fixes, but there has been about the kernel fixes. Apparently the fix RedHat and Ubuntu used causes more issues. Upstream has better fixes that they are working on backporting to stable kernels. I'm not sure if they've gotten to 4.4 and 4.9 yet.
Summary: glibc new security issue CVE-2017-8804 => glibc new security issues CVE-2017-8804 and CVE-2017-1000366
glibc-2.22-25.mga6 uploaded for Cauldron by Thomas, fixing these.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Thomas has informed me that a glibc build to fix these for Mageia 5 is available, and that the kernel should hopefully be addressed in the next couple of days (pending completion of the fixes upstream). Advisory: ======================== Updated glibc packages fix security vulnerabilities: The sunrpc implementation in glibc is vulnerable to a flaw that can cause it to be triggered to allocate additional memory until it causes a crash, similar to CVE-2017-8779 (CVE-2017-8804). A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult (CVE-2017-1000366). The CVE-2017-1000366 issue is part of a set of issues known as Stack Clash. The fixes have components in both glibc and the kernel. The kernel fix will be included in a separate update advisory. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 http://openwall.com/lists/oss-security/2017/05/07/3 https://rhn.redhat.com/errata/RHSA-2017-1481.html ======================== Updated packages in core/updates_testing: ======================== glibc-2.20-25.mga5 glibc-devel-2.20-25.mga5 glibc-static-devel-2.20-25.mga5 glibc-profile-2.20-25.mga5 nscd-2.20-25.mga5 glibc-utils-2.20-25.mga5 glibc-i18ndata-2.20-25.mga5 glibc-doc-2.20-25.mga5 from glibc-2.20-25.mga5.src.rpm
Assignee: basesystem => qa-bugs
Bumping status to critical
Status: NEW => ASSIGNEDPriority: Normal => HighSeverity: normal => critical
On mga5-64 Packages updated cleanly: nscd-2.20-25.mga5 glibc-2.20-25.mga5 System re-booted normally No regressions noted Looks OK for mga5-64 on this system: Dell product: Precision Tower 3620 Mobo: Dell model: 09WH54 Card: Intel HD Graphics 530 CPU: Quad core Intel Core i7-6700
CC: (none) => jim
On MGA5-32 , install and reboot ok.
CC: (none) => lists.jjorge
Installed these on x86_64 hardware and rebooted. Clean install but do not know how to test but had a look at memusage. $ memusage --progname=xine xine HowtoVideoPodcast.m4v Memory usage summary: heap total: 53901215, heap peak: 10167195, stack peak: 286016 total calls total memory failed calls malloc| 51332 41532103 0 realloc| 793 1203480 0 (nomove:349, dec:2, free:0) calloc| 21632 11165632 0 free| 158388 50111471 Histogram for block sizes: 0-15 9168 12% ===================== 16-31 21766 29% ================================================== 32-47 13057 17% ============================= 48-63 2606 3% ===== 64-79 10725 14% ======================== ............................. 43776-43791 4 <1% 45040-45055 1 <1% 50960-50975 1 <1% 57728-57743 2 <1% 61440-61455 1 <1% large 62 <1% Looks like a fair test but leaving this for others to follow up.
CC: (none) => tarazed25
On mga5-32 - in a vbox VM Packages updated cleanly: - glibc-2.20-25.mga5.i586 - glibc-devel-2.20-25.mga5.i586 - nscd-2.20-25.mga5.i586 VM re-booted normally - no regressions noted looks OK for mga5-32
Intel(R) Core(TM) i3 CPU Intel 810 and late RTL8191SEvB Wireless LAN Controller $ uname -a Linux localhost.localdomain 4.4.68-desktop586-1.mga5 #1 SMP Sun May 14 17:55:26 UTC 2017 i686 i686 i686 GNU/Linux Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following package is going to be installed: - glibc-2.20-25.mga5.i586 4KB of additional disk space will be used. 3.7MB of packages will be retrieved. Is it ok to continue? Rebooted after installation - no issues
CC: (none) => brtians1
i586 glibc and kernel-desktop OK: HW: Thinkpad T40, SSD, Radeon 7500, ipw2200. Install: separate /boot, rest LVM, KDE4 Clean install, boot, suspend-resume, hibernate-resume OK incl resuming playing video from internet on wifi (old quirk is that after resume display is grey; login screen get visible when i move mouse), good performance.
CC: (none) => fri
on an old ThinkPad https://wiki.mageia.org/en/User:Marja/QA/Hardware#Lenovo_ThinkPad_SL510 Updated kernel, glibc and microcode: cpupower-4.4.74-1.mga5.x86_64 Mon 26 Jun 2017 15:26:39 CEST glibc-2.20-25.mga5.x86_64 Mon 26 Jun 2017 15:26:06 CEST glibc-devel-2.20-25.mga5.x86_64 Mon 26 Jun 2017 15:26:12 CEST kernel-desktop-4.4.74-1.mga5-1-1.mga5.x86_64 Mon 26 Jun 2017 15:26:32 CEST kernel-desktop-latest-4.4.74-1.mga5.x86_64 Mon 26 Jun 2017 15:26:35 CEST kernel-userspace-headers-4.4.74-1.mga5.x86_64 Mon 26 Jun 2017 15:26:36 CEST microcode-0.20170511-1.mga5.nonfree.noarch Mon 26 Jun 2017 15:26:40 CEST nscd-2.20-25.mga5.x86_64 Mon 26 Jun 2017 15:26:41 CEST After reboot and until now, everything works fine, apart from an old issue that already existed before.
Testing M5_64 real hardware glibc-devel-2.20-25.mga5 glibc-2.20-25.mga5 Tried minimally the 4.4.74 Desktop & Linus kernels with this glibc, no problems seen; looks OK.
CC: (none) => lewyssmith
advisory added to svn. This has now been running on mageia infra for 8 hours on some nodes, and ~4 hours on other nodes
Whiteboard: (none) => advisory
Looks good enough... validating to get it out
Whiteboard: advisory => advisory MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0184.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED