Bug 21126 - valgrind new security issues CVE-2016-2226, CVE-2016-4487, CVE-2016-4488, CVE-2016-4489, CVE-2016-4490, CVE-2016-4491, CVE-2016-4492, CVE-2016-4493, CVE-2016-6131
Summary: valgrind new security issues CVE-2016-2226, CVE-2016-4487, CVE-2016-4488, CVE...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-06-22 00:17 CEST by David Walser
Modified: 2017-07-28 20:13 CEST (History)
6 users (show)

See Also:
Source RPM: valgrind-3.12.0-4.mga6.src.rpm
CVE:
Status comment:


Attachments
file to compile and run valgrind to the executable (251 bytes, text/plain)
2017-07-18 15:10 CEST, Herman Viaene
Details

Description David Walser 2017-06-22 00:17:49 CEST
Ubuntu has issued an advisory today (June 21):
https://www.ubuntu.com/usn/usn-3337-1/

Mageia 5 is also affected.
David Walser 2017-06-22 00:17:56 CEST

Whiteboard: (none) => MGA5TOO

Marja van Waes 2017-06-23 22:05:58 CEST

CC: (none) => marja11
Assignee: bugsquad => thierry.vignaud

Comment 1 David Walser 2017-06-24 18:42:24 CEST
Note that CVE-2016-2226 is already fixed in the version in Cauldron.
Comment 2 David Walser 2017-06-24 18:48:34 CEST
The Ubuntu patch for 3.12.0 only references CVE-2016-4491, but apparently it fixes all of the remaining issues.  I've checked it into SVN and requested a freeze push.
Comment 3 David Walser 2017-06-24 23:53:29 CEST
valgrind-3.12.0-5.mga6 uploaded for Cauldron, presumably fixing this.

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 4 David Walser 2017-07-08 21:56:30 CEST
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated valgrind packages fix security vulnerabilities:

It was discovered that Valgrind incorectly handled certain string operations.
If a user or automated system were tricked into processing a specially crafted
binary, a remote attacker could possibly execute arbitrary code
(CVE-2016-2226).

It was discovered that Valgrind incorrectly handled parsing certain binaries.
If a user or automated system were tricked into processing a specially crafted
binary, a remote attacker could use this issue to cause Valgrind to crash,
resulting in a denial of service (CVE-2016-4487, CVE-2016-4488, CVE-2016-4489,
CVE-2016-4490, CVE-2016-4491, CVE-2016-4492, CVE-2016-4493, CVE-2016-6131).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4489
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4490
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131
https://www.ubuntu.com/usn/usn-3337-1/
========================

Updated packages in core/updates_testing:
========================
valgrind-3.10.1-2.1.mga5
valgrind-devel-3.10.1-2.1.mga5
valgrind-openmpi-3.10.1-2.1.mga5

from valgrind-3.10.1-2.1.mga5.src.rpm

Assignee: thierry.vignaud => qa-bugs
CC: (none) => thierry.vignaud

Comment 5 Herman Viaene 2017-07-18 15:09:50 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Found test in http://valgrind.org/docs/manual/quick-start.html (test file will be uploaded), compiled and
at CLI:
$ valgrind --leak-check=yes /home/tester5/Documenten/valgrindtest 
==7637== Memcheck, a memory error detector
==7637== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==7637== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==7637== Command: /home/tester5/Documenten/valgrindtest
==7637== 
==7637== Invalid write of size 4
==7637==    at 0x8048437: f (in /home/tester5/Documenten/valgrindtest)
==7637==    by 0x8048454: main (in /home/tester5/Documenten/valgrindtest)
==7637==  Address 0x4222050 is 0 bytes after a block of size 40 alloc'd
==7637==    at 0x402951B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7637==    by 0x804842A: f (in /home/tester5/Documenten/valgrindtest)
==7637==    by 0x8048454: main (in /home/tester5/Documenten/valgrindtest)
==7637== 
==7637== 
==7637== HEAP SUMMARY:
==7637==     in use at exit: 40 bytes in 1 blocks
==7637==   total heap usage: 1 allocs, 0 frees, 40 bytes allocated
==7637== 
==7637== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==7637==    at 0x402951B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7637==    by 0x804842A: f (in /home/tester5/Documenten/valgrindtest)
==7637==    by 0x8048454: main (in /home/tester5/Documenten/valgrindtest)
==7637== 
==7637== LEAK SUMMARY:
==7637==    definitely lost: 40 bytes in 1 blocks
==7637==    indirectly lost: 0 bytes in 0 blocks
==7637==      possibly lost: 0 bytes in 0 blocks
==7637==    still reachable: 0 bytes in 0 blocks
==7637==         suppressed: 0 bytes in 0 blocks
==7637== 
==7637== For counts of detected and suppressed errors, rerun with: -v
==7637== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 6 Herman Viaene 2017-07-18 15:10:59 CEST
Created attachment 9504 [details]
file to compile and run valgrind to the executable
Lewis Smith 2017-07-20 20:52:43 CEST

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 7 PC LX 2017-07-27 21:07:38 CEST
Installed and tested using test binary without issues. Tested with other binaries and IDEs, again without issue.

System: x86_64, Plasma, nVidia (proprietary driver)

$ uname -a
Linux marte 4.4.78-desktop-1.mga5 #1 SMP Mon Jul 24 20:49:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q valgrind
valgrind-3.10.1-2.1.mga5
$ valgrind --leak-check=yes ./valgrindtest
==1582== Memcheck, a memory error detector
==1582== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==1582== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==1582== Command: ./valgrindtest
==1582== 
==1582== Invalid write of size 4
==1582==    at 0x400646: f (in /tmp/pedro/valgrindtest)
==1582==    by 0x400656: main (in /tmp/pedro/valgrindtest)
==1582==  Address 0x51e8068 is 0 bytes after a block of size 40 alloc'd
==1582==    at 0x4C27F7F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1582==    by 0x400639: f (in /tmp/pedro/valgrindtest)
==1582==    by 0x400656: main (in /tmp/pedro/valgrindtest)
==1582== 
==1582== 
==1582== HEAP SUMMARY:
==1582==     in use at exit: 40 bytes in 1 blocks
==1582==   total heap usage: 1 allocs, 0 frees, 40 bytes allocated
==1582== 
==1582== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
==1582==    at 0x4C27F7F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1582==    by 0x400639: f (in /tmp/pedro/valgrindtest)
==1582==    by 0x400656: main (in /tmp/pedro/valgrindtest)
==1582== 
==1582== LEAK SUMMARY:
==1582==    definitely lost: 40 bytes in 1 blocks
==1582==    indirectly lost: 0 bytes in 0 blocks
==1582==      possibly lost: 0 bytes in 0 blocks
==1582==    still reachable: 0 bytes in 0 blocks
==1582==         suppressed: 0 bytes in 0 blocks
==1582== 
==1582== For counts of detected and suppressed errors, rerun with: -v
==1582== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

Whiteboard: MGA5-32-OK advisory => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => mageia

Comment 8 Lewis Smith 2017-07-27 22:15:25 CEST
Thank you Herman & PC_LX for the tests.
Validating, already advisoried.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 Mageia Robot 2017-07-28 20:13:15 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0222.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.