Debian has issued an advisory on June 19: https://www.debian.org/security/2017/dsa-3889 This is related to the "stack clash" issue. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
This one looks a bit less than straightforward. For this update, Debian added a patch that also required the addition of the --enable-pax_emutramp configure argument. They later updated the patch that made that configure argument a no-op unless it's changed to --enable-pax_emutramp=experimental, which they did not change, so it appears that they reverted the fix basically. Also, it sounds like the fix only has an impact on grsecurity-hardened kernels (or possibly when using SELinux), so it may not have general applicability to us anyway. I think Thomas or someone that understands this better will need to evaluate this one.
Mageia 6 is not affected, as libffi 3.2.1 already contains the fix: https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d (the fix is not included for aarch64, but we don't support this arch) For Mageia 5, we can sync with Fedora which also had version 3.1: http://pkgs.fedoraproject.org/cgit/rpms/libffi.git/log/
Version: Cauldron => 5Assignee: pkg-bugs => rverscheldeWhiteboard: MGA5TOO => (none)
Advisory: ========= Updated libffi packages fix security vulnerability libffi, a library used to call code written in one language from code written in a different language, was enforcing an executable stack on the i386 architecture. While this might not be considered a vulnerability by itself, this could be leveraged when exploiting other vulnerabilities, like for example the "stack clash" class of vulnerabilities discovered by Qualys Research Labs. References: - https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt - https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d RPMs in core/updates_testing: ============================= lib(64)ffi6-3.1-4.1.mga5 lib(64)ffi-devel-3.1-4.1.mga5 SRPM in core/updates_testing: ============================= libffi-3.1-4.1.mga5
Assignee: rverschelde => qa-bugsSource RPM: libffi-3.2.1-5.mga6.src.rpm => libffi-3.1-4.mga5
(In reply to Rémi Verschelde from comment #3) > Mageia 6 is not affected, as libffi 3.2.1 already contains the fix: > https://github.com/libffi/libffi/commit/ > 978c9540154d320525488db1b7049277122f736d > (the fix is not included for aarch64, but we don't support this arch) No, Debian did additional work on top of 3.2.1 for this. See their advisory, changelog in sid, and: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751907
CC: (none) => rverschelde
MGA5-32 on Asus A6000VM Xfce No installation issues. At CLI: # urpmq --whatrequires libffi6 firefox firefox firefox and a lot of packages pointing to programming. Took a gamble on running firefox and opening Extra - Webdesigner - Inspector and strace showed indeed: open("/lib/libffi.so.6", O_RDONLY|O_CLOEXEC) = 4 so OK for me
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
As Herman indicates in comment 6, this is essentially a programmer's library. 'urpmq -whatrequires lib64ffi6 | sort | uniq' indicates that ruby has an ffi implementation, so: $ sudo urpmi ruby-devel $ sudo urpmi ruby-ffi $ sudo gem install ffi Found a snippet of ruby code on the web which shows how ruby can run functions from a foreign library. The example is pointless in fact but does use the libffi6 library to hitch-hike on the libc library. There are more realistic examples at https://github.com/ffi/ffi/wiki/Examples --------------------------------------------------------------- #!/bin/env ruby # https://github.com/ffi/ffi # ffi.rb require 'ffi' module MyLib extend FFI::Library ffi_lib 'c' attach_function :puts, [ :string ], :int end MyLib.puts 'Hello, World using libc!' -------------------------------------------------------------- $ strace ruby ffi.rb >& ffi.trace $ cat ffi.trace | grep libffi open("/usr/lib64/libffi.so.6", O_RDONLY|O_CLOEXEC) = 7 The stack/clash vulnerability issue is too large a subject for generalized PoC testing I would imagine. None found anyway. After installing the updates the noddy ruby script still worked. $ ./ffi.rb Hello, World using libc! Good for 64-bit systems.
CC: (none) => tarazed25
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0201.html
Status: NEW => RESOLVEDResolution: (none) => FIXED