SUSE has issued an advisory on February 15: https://lists.opensuse.org/opensuse-security-announce/2018-02/msg00026.html The upstream commit to fix the issues is linked from the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1079036 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Upstream patch is available
openSUSE has issued an advisory for this on February 20: https://lists.opensuse.org/opensuse-updates/2018-02/msg00078.html
Fixed in Mga6 / Cauldron with glibc-2.22-28.mga6/7
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
glibc-2.22-28.mga6 glibc-devel-2.22-28.mga6 glibc-static-devel-2.22-28.mga6 glibc-profile-2.22-28.mga6 nscd-2.22-28.mga6 glibc-utils-2.22-28.mga6 glibc-i18ndata-2.22-28.mga6 glibc-doc-2.22-28.mga6 from glibc-2.22-28.mga6.src.rpm Advisory to come later.
Created attachment 10009 [details] mga5 glibc update I was going to commit this update to SVN (just to save for later) for Mageia 5, but SVN doesn't work anymore. I still get this error: Permission denied (publickey,keyboard-interactive). svn: E210002: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/updates/5/glibc/current' svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file. svn: E210002: Network connection closed unexpectedly It seems ssh-agent or ForwardAgent are not setup or your username is wrong. See https://wiki.mageia.org/en/Packagers_ssh for more information.
glibc-2.22-28.mga6.x86_64 has been running on mageia infra since 2018-02-27
Actually assign to QA
Assignee: tmb => qa-bugs
Mageia 6 :: x86_64 Disclaimer: Before updating, some time was spent investigating the reproducers for some of the glibc issues mentioned. There are a couple of PoCs at https://bugzilla.suse.com/show_bug.cgi?id=1037559 (rpcbomb) and https://sourceware.org/bugzilla/show_bug.cgi?id=22343 (test-posix-memalign) but found that running them did not produce definite enough results for any judgement to be made so there is not much point in reporting the tests. Clean install for the updates. Everything working fine after a reboot. $ sudo nscd -g summarizes the nscd configuration and various cache tables. glibc-utils supplies memusage, mtrace and xtrace, all present. $ mtrace ./test-posix-memalign No memory leaks. Tried to rebuild stellarium locally but hit a snag like in comment 4: $ mgarepo co -d 6 stellarium Warning: Permanently added 'svn.mageia.org,212.85.158.153' (RSA) to the list of known hosts. Permission denied (publickey,keyboard-interactive). svn: E170013: Unable to connect to a repository at URL 'svn+ssh://svn.mageia.org/svn/packages/updates/6/stellarium/current' svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file. svn: E210002: Network connection closed unexpectedly This is all I can do for now. glibc looks OK for 64-bits.
CC: (none) => tarazed25
Following on from comment 7. I did not have my SVN credentials with me. Moved to another machine and retrieved stellarium OK. Tarred it up and copied to this machine and tried again. $ bm -ls creating package list processing package stellarium-0.16.0-%mkrel 1 building source package Wrote: /home/lcl/stella/stellarium/SRPMS/stellarium-0.16.0-1.mga6.src.rpm succeeded! $ bm -l creating package list processing package stellarium-0.16.0-%mkrel 1 building source and binary packages error: Failed build dependencies: cmake is needed by stellarium-0.16.0-1.mga6.x86_64 pkgconfig(Qt5Concurrent) is needed by stellarium-0.16.0-1.mga6.x86_64 ................ and so on. Ah well!
Update tested in i586 (laptop Eee PC 901) all ok.
CC: (none) => lists.jjorge
Whiteboard: (none) => mga6-32-ok
M6/64 real EFI hardware About to apply the update, I seem to have it since some time (do not know when): glibc-2.22-28.mga6 glibc-devel-2.22-28.mga6 The only doubt I have is that for some time now the system seizes up from time to time, noticeable when using browsers: Firefox worst, Iceape less so. This probably has nothing to do with glibc, so I would OK that.
CC: (none) => lewyssmith
Installed and tested without issues. Tested for two days of normal use with plenty of applications run. System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ rpm -qa | grep glibc glibc-devel-2.22-28.mga6 glibc-2.22-28.mga6
CC: (none) => mageia
@Lewis - re comment 10 "noticeable when using browsers" Yes I have been seeing freezes and slowdowns with firefox for a long time. This bug looks OK for 64 bits.
Whiteboard: mga6-32-ok => mga6-32-ok MGA6-64-OK
I've had to install this update on several systems before I could look at anything else in Testing. No problems seen in any of them. I too see occasional slowdowns of Firefox, but I've been putting to my ad blocker extension (Adblocker Ultimate) doing the job it's supposed to do.
CC: (none) => andrewsfarm
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory, added to svn: An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption (CVE-2018-6485, CVE-2018-6551).
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0159.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Blocks: (none) => 22711
CC: lewyssmith => (none)