Advisory, added to svn:

type: security
subject: Updated glibc packages fix security vulnerabilities
CVE:
 - CVE-2017-12132
 - CVE-2017-12133
 - CVE-2017-15670
 - CVE-2017-15671
 - CVE-2017-15804
src:
  5:
   core:
     - glibc-2.20-26.mga5
     - libtirpc-0.2.5-3.3.mga5
description: |
  The DNS stub resolver in the GNU C Library (aka glibc or libc6) before
  version 2.26, when EDNS support is enabled, will solicit large UDP
  responses from name servers, potentially simplifying off-path DNS
  spoofing attacks due to IP fragmentation.(CVE-2017-12132, CVE-2017-12133).

  The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one
  error leading to a heap-based buffer overflow (CVE-2017-15670).

  The glob function in glob.c in the GNU C Library (aka glibc or libc6)
  before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated
  memory when processing the ~ operator with a long user name, potentially
  leading to a denial of service (memory leak) (CVE-2017-15671).

  The glob function in glob.c in the GNU C Library (aka glibc or libc6)
  before 2.27 contains a buffer overflow during unescaping of user names
  with the ~ operator (CVE-2017-15804).

  As libtirpc is also affected by CVE-2017-12133, it's part of this update.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=22255

Keywords: (none) => advisory

Hi.

I have booted up both x86_64 and i586 with the new glibc release and it looks OK.

If my memory serves me correct, there was a mention on the #mageia-qa meeting that a boot "was enough" of a test for this package.

Are there more tests necessary before it can be validated?


Cheers,
Stig

CC: (none) => smelror

It needs to be tested/used on both arches...

And since it's a low-level package... preferably keep using it for atleast a day or so to flush out any latent bugs in it...

Mageia 5 :: x86_64

Updated all the packages:
$ rpm -qa | grep glibc
glibc-profile-2.20-26.mga5
glibc-2.20-26.mga5
glibc-utils-2.20-26.mga5
glibc-static-devel-2.20-26.mga5
glibc-doc-2.20-26.mga5
glibc-devel-2.20-26.mga5
glibc-i18ndata-2.20-26.mga5
$ rpm -qa | grep tirpc
lib64tirpc-devel-0.2.5-3.3.mga5
lib64tirpc1-0.2.5-3.3.mga5
libtirpc-0.2.5-3.3.mga5

Rebooted to:
System:    Host: vega Kernel: 4.4.105-tmb-desktop-1.mga5 x86_64 (64 bit) 
           Desktop: N/A Distro: Mageia 5 thornicroft 
CPU:       Quad core Intel Core i7-4790K (-HT-MCP-) clocked at 4399 MHz

No problems apparent.

Rebooted to 
System:    Host: vega Kernel: 4.4.105-desktop-1.mga5 x86_64

Leaving this running.

CC: (none) => tarazed25

Using M5/64 real hardware. glibc-2.20-26.mga5
4.4.105-tmb-desktop-1.mga5

No poblems after some usage.

Mageia 5 for i586 in vbox
4.4.105-desktop586-1.mga5

Updated glibc and other packages.
$ rpm -qa | egrep "glibc|nscd|libtirp" | sort
glibc-2.20-26.mga5
glibc-devel-2.20-26.mga5
glibc-doc-2.20-26.mga5
glibc-i18ndata-2.20-26.mga5
glibc-profile-2.20-26.mga5
glibc-static-devel-2.20-26.mga5
glibc-utils-2.20-26.mga5
libtirpc-0.2.5-3.3.mga5
libtirpc1-0.2.5-3.3.mga5
libtirpc-devel-0.2.5-3.3.mga5
nscd-2.20-26.mga5

The desktop runs smoothly over a range of activities; browsing, editing, commandline, running videos, image viewing, word-processing, printing, NFS shares, other network activity, gkrellm, stress tests, package installation, ruby scripting, ....

Whiteboard: (none) => MGA5-32-OK

the x86_64 build has been running on the mageia infra for 24+ hours too without issues, including the heavy loaded build nodes...

MGA5-32 on Dell Latitude D600
No installationissues
Tested pdf, odt and ods files, played video and showed pictures, played contents (pictures and video) from website, all OK.

CC: (none) => herman.viaene

No problems found. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0470.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED