Bug 23136 - glibc new security issue CVE-2017-18269 and CVE-2018-11236
Summary: glibc new security issue CVE-2017-18269 and CVE-2018-11236
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 22711
  Show dependency treegraph
Reported: 2018-06-07 22:20 CEST by David Walser
Modified: 2018-06-25 00:03 CEST (History)
7 users (show)

See Also:
Source RPM: glibc-2.22-28.mga6.src.rpm
Status comment:


Comment 1 Thomas Backlund 2018-06-07 22:32:34 CEST
Already fixed in Cauldron.

Does not affect mga6 as the avx512 functions landed in 2.23 and we are at 2.22

Resolution: (none) => INVALID

Comment 2 David Walser 2018-06-08 22:03:33 CEST
Thanks.  What about CVE-2017-18269 and CVE-2018-11236?
Comment 3 Thomas Backlund 2018-06-08 22:21:50 CEST
(In reply to David Walser from comment #2)
> Thanks.  What about CVE-2017-18269 and CVE-2018-11236?
> http://lists.suse.com/pipermail/sle-security-updates/2018-June/004156.html

Both fixed in Cauldron, but still valid for Mga6, so reopening...

Resolution: INVALID => (none)

Marja Van Waes 2018-06-08 22:40:44 CEST

CC: (none) => marja11
Summary: glibc new security issue CVE-2018-11237 => glibc new security issue CVE-2017-18269 and CVE-2018-11236

Comment 4 David Walser 2018-06-08 22:47:20 CEST
openSUSE has issued an advisory for this today (June 8):
Comment 5 Thomas Backlund 2018-06-17 23:56:16 CEST
 CVE-2017-18269 and CVE-2018-11236 fixed in:




Assignee: tmb => qa-bugs

Comment 6 Len Lawrence 2018-06-18 10:37:05 CEST
Mageia 6, x86_64

The upstream links seem to indicate that one of the vulnerabilities affects 32-bit systems only.  No definite PoCs for the other two issues but there is a test program for one of them which upstream testers found rarely demonstrated the fault.

Updated all the packages and rebooted.

Compiled the memorex.c program from the man page for memusage.
$ ./memorex
malloc: 400
realloc: 440
realloc: 240
realloc: 440

I do not remember where this snippet came from but compiled it anyway.
// test-posix-memalign.c
// gcc -o test-posix-memalign test-posix-memalign.c
#include <stdlib.h>
#include <stdint.h>

int main( int argc, char **argv )
	void *p;
 	return posix_memalign( &p, 0x10, SIZE_MAX - 0x20 );
$ mtrace ./test-posix-memalign
No memory leaks.

Tried a local build.
Celestia sources already installed in a local directory.
$ cd celestia
$ ls
$ bm -l
Successful rebuild of celestia packages with a lot of references to glibc.
$ ll RPMS/x86_64
total 37924
-rw-r--r-- 1 lcl lcl 34121386 Jun 18 08:59 celestia-1.6.1-18.mga6.x86_64.rpm
-rw-r--r-- 1 lcl lcl  4707726 Jun 18 08:59 celestia-debuginfo-1.6.1-18.mga6.x86_64.rpm

Name Service Caching Demon:
$ sudo nscd -g
produced  an extensive summary of the nscd configuration and  several cache tables.

It all looks fine.  This is one of those packages which should definitely be tested on 32-bit architectures particularly as one of the vulnerabilities manifests itself in operations which cross the 32-bit word-size boundary, such as block moves greater in size than a 31-bit number.  More tests for 64-bits would be good also.

CC: (none) => tarazed25

Comment 7 Thomas Andrews 2018-06-18 20:47:40 CEST
On real hardware, HP 6550b, 8GB, Intel graphics, Intel wifi. 64-bit Plasma system, using the desktop kernel.

No specific tests done here. Installed the presented updates, then rebooted. Used it for a short time, with no regressions noted. Then I updated to the 4.14.50-1 desktop kernel, and rebooted once more. After more use, again, no regressions noted. Using it to make this report.

CC: (none) => andrewsfarm

Comment 8 James Kerr 2018-06-19 10:26:46 CEST
on mga6-32  4.14.44-server  xfce

updates installed:
- glibc-2.22-29.mga6.i586
- glibc-devel-2.22-29.mga6.i586

no regressions noted

seems to be OK for mga6-32 on this system:

Machine:   Device: desktop Mobo: ECS model: GeForce7050M-M v: 1.0
CPU:       Quad core AMD Phenom 9500 (-MCP-) 
Graphics:  Card: NVIDIA GK208B [GeForce GT 710]
           Display Server: Mageia X.org 119.5 drivers: nvidia,v4l
           GLX Renderer: GeForce GT 710/PCIe/SSE2/3DNOW!
           GLX Version: 4.6.0 NVIDIA 390.59

CC: (none) => jim

Comment 9 PC LX 2018-06-19 20:55:33 CEST
Installed and tested without issues.

Tested through two boot cycles and many applications used. No regressions noticed.

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep glibc | sort

CC: (none) => mageia

Comment 10 James Kerr 2018-06-20 11:06:12 CEST
on mga6-64  4.14.44-desktop  plasma

packages installed cleanly:
- glibc-2.22-29.mga6.x86_64
- glibc-devel-2.22-29.mga6.x86_64
- nscd-2.22-29.mga6.x86_64

no regressions noted

looks OK for mga6-64 on this system:
Machine:   Device: desktop System: Dell product: Precision Tower 3620
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530
Comment 11 Thomas Andrews 2018-06-20 14:52:41 CEST
On real hardware, Athlon X2, 8GB, nvidia340 graphics, Atheros wifi, 64-bit Plasma install using the server kernel.

Installed glibc and glibc-devel first, then went back and installed kernel-server 4.14.50-2, because it frequently happens that users will update in one session like this.

All packages installed cleanly. Upon rebooting, tried several apps, no regressions noted.
Comment 12 James Kerr 2018-06-20 15:52:37 CEST
Also OK in mga6-64 and mga6-32 vbox clients
Comment 13 James Kerr 2018-06-20 19:05:59 CEST
on mga6-64  kernel-desktop  xfce

packages installed cleanly:
- glibc-2.22-29.mga6.x86_64
- glibc-devel-2.22-29.mga6.x86_64

no regressions noted

OK for mga6-64 on this system:

Machine:   Device: desktop Mobo: ECS model: GeForce7050M-M 
CPU:       Quad core AMD Phenom 9500 (-MCP-)
Graphics:  Card: NVIDIA GK208B [GeForce GT 710]
Comment 14 José Jorge 2018-06-22 14:13:49 CEST
Mga6-32 on Pentium M740. Lots of testing done in both archs, whiteboarding.

Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
CC: (none) => lists.jjorge

David Walser 2018-06-24 18:00:32 CEST

Blocks: (none) => 22711

Comment 15 claire robinson 2018-06-24 21:28:01 CEST
Copious OKs. Validating. Needs advisory Thomas.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 David Walser 2018-06-24 21:51:21 CEST

Updated glibc packages fix security vulnerabilities:

An SSE2-optimized memmove implementation for i386 in
sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka
glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping
memory check if the source memory range spans the middle of the address space,
resulting in corrupt data being produced by the copy operation. This may
disclose information to context-dependent attackers, or result in a denial of
service, or, possibly, code execution (CVE-2017-18269).

stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and
earlier, when processing very long pathname arguments to the realpath function,
could encounter an integer overflow on 32-bit architectures, leading to a
stack-based buffer overflow and, potentially, arbitrary code execution

Comment 17 claire robinson 2018-06-24 22:17:30 CEST
Thanks David. Advisoried.

Keywords: (none) => advisory

Comment 18 Mageia Robot 2018-06-25 00:03:32 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.