A CVE has been assigned for a bug fixed upstream in glibc: https://www.openwall.com/lists/oss-security/2021/01/28/2 Thomas already fixed it in Cauldron: r1673800 | tmb | 2021-01-28 04:25:42 -0500 (Thu, 28 Jan 2021) | 1 line gconv: Fix assertion failure in ISO-2022-JP-3 module [BZ #27256]
Depends on: (none) => 28273
SUSE has issued an advisory for this on February 25: https://lists.suse.com/pipermail/sle-security-updates/2021-February/008375.html
SUSE has issued an advisory on February 26: https://lists.suse.com/pipermail/sle-security-updates/2021-February/008397.html It fixes this, and an additional issue that Thomas already fixed in Mageia 8: r1651569 | tmb | 2020-12-02 04:14:45 -0500 (Wed, 02 Dec 2020) | 1 line iconv: Accept redundant shift sequences in IBM1364 [BZ #26224] (CVE-2020-27618)
Summary: glibc new security issue CVE-2021-3326 => glibc new security issues CVE-2020-27618 and CVE-2021-3326
openSUSE has issued an advisory for this on February 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WMNRZB427QFJOPYP4EA4KBZOTT622NY3/
glibc-2.29-22.mga7 building with: - iconv: Accept redundant shift sequences in IBM1364 [BZ #26224] (CVE-2020-27618) - gconv: Fix assertion failure in ISO-2022-JP-3 module [BZ #27256] (CVE-2021-3326) - nscd: Fix double free in netgroupcache [BZ #27462] (CVE-2021-27645)
Summary: glibc new security issues CVE-2020-27618 and CVE-2021-3326 => glibc new security issues CVE-2020-27618, CVE-2021-3326 and CVE-2021-27645
SRPM: glibc-2.29-22.mga7.src.rpm i586: glibc-2.29-22.mga7.i586.rpm glibc-devel-2.29-22.mga7.i586.rpm glibc-doc-2.29-22.mga7.noarch.rpm glibc-i18ndata-2.29-22.mga7.i586.rpm glibc-profile-2.29-22.mga7.i586.rpm glibc-static-devel-2.29-22.mga7.i586.rpm glibc-utils-2.29-22.mga7.i586.rpm nscd-2.29-22.mga7.i586.rpm x86_64: glibc-2.29-22.mga7.x86_64.rpm glibc-devel-2.29-22.mga7.x86_64.rpm glibc-doc-2.29-22.mga7.noarch.rpm glibc-i18ndata-2.29-22.mga7.x86_64.rpm glibc-profile-2.29-22.mga7.x86_64.rpm glibc-static-devel-2.29-22.mga7.x86_64.rpm glibc-utils-2.29-22.mga7.x86_64.rpm nscd-2.29-22.mga7.x86_64.rpm
Assignee: tmb => qa-bugs
The following 2 packages are going to be installed: - glibc-2.29-22.mga7.x86_64 - glibc-devel-2.29-22.mga7.x86_64 I also installed this on my ancient server 32bit instance Both are working as they should after the updates.
CC: (none) => brtians1
Installed and tested without issues. This update has been in use for two days on this workstation. Lots of applications run (some proprietary) without any regressions noticed. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. This update was also tested on a QEMU/KVM VM with Mageia 7. No issues noticed. Guest system: Mageia 7, x86_64, LXQt DE, virtio drivers. $ uname -a Linux marte 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep glibc glibc-devel-2.29-22.mga7 glibc-2.29-22.mga7
CC: (none) => mageia
Advisory, added to svn: type: security subject: Updated glibc packages fixes security vulnerabilities CVE: - CVE-2020-27618 - CVE-2021-3326 - CVE-2021-27645 src: 7: core: - glibc-2.29-22.mga7 description: | Updated glibc packages fix a security vulnerabilities: The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service (CVE-2020-27618). The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service (CVE-2021-3326). The nameserver caching daemon (nscd), when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system (CVE-2021-27645). references: - https://bugs.mageia.org/show_bug.cgi?id=28246
Keywords: (none) => advisory
Tested mga7-32 under virtual box. System booted normally worked fine for about an hour
CC: (none) => wrw105Whiteboard: (none) => mga7-32-ok
Tested mga7-64 on hardware System booted fine and worked normally.
Whiteboard: mga7-32-ok => mga7-32-ok mga7-64-ok
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0150.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED