Bug 28942 - glibc new security issue CVE-2016-10228
Summary: glibc new security issue CVE-2016-10228
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-18 23:39 CEST by David Walser
Modified: 2021-06-28 23:18 CEST (History)
5 users (show)

See Also:
Source RPM: glibc-2.29-22.mga7.src.rpm
CVE: CVE-2016-10228
Status comment:


Attachments

Description David Walser 2021-05-18 23:39:29 CEST
RedHat has issued an advisory today (May 18):
https://access.redhat.com/errata/RHSA-2021:1585
Comment 1 Thomas Backlund 2021-05-31 12:05:08 CEST
Mga7 is EOL.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 2 Frédéric "LpSolit" Buclin 2021-05-31 18:47:55 CEST
(In reply to Thomas Backlund from comment #1)
> Mga7 is EOL.

Per https://ml.mageia.org/l/arc/council/2021-05/msg00019.html, Mageia 7 is not yet EOL.
David Walser 2021-05-31 19:33:16 CEST

Status: RESOLVED => REOPENED
Resolution: WONTFIX => (none)

Comment 3 David Walser 2021-06-22 00:48:53 CEST
Advisory:
========================

Updated glibc packages fix security vulnerability:

A vulnerability was found in the iconv program provided by glibc when it's
invoked with the -c option. It can enter an infinite loop while parsing an
invalid multi-byte sequence (CVE-2016-10228).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228
https://access.redhat.com/errata/RHSA-2021:1585
========================

Updated packages in core/updates_testing:
========================
glibc-2.29-23.mga7
glibc-devel-2.29-23.mga7
glibc-static-devel-2.29-23.mga7
glibc-profile-2.29-23.mga7
nscd-2.29-23.mga7
glibc-utils-2.29-23.mga7
glibc-i18ndata-2.29-23.mga7
glibc-doc-2.29-23.mga7

from glibc-2.29-23.mga7.src.rpm

Assignee: tmb => qa-bugs

Comment 4 Herman Viaene 2021-06-23 16:20:06 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues
rebooted after installation, comes up OK.
Nothing ovious wrong with wifi, internet and NFS-shares aceessand diffent file types.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2021-06-24 20:20:26 CEST
Took a look at the CVE and ran the two oneliners suggested on the RedHat bug.
CVE-2016-10228
https://sourceware.org/bugzilla/show_bug.cgi?id=19519

Before updates:
$ echo -en '\x80' | iconv -f us-ascii -t us-ascii//translit//ignore -c
Hangs....
$ echo -en "\x0e\x0e" | /usr/bin/iconv -c -f IBM1364
$

After the updates neither hang iconv.
$ echo -en '\x80' | iconv -f us-ascii -t us-ascii//translit//ignore -c
$ echo -en "\x0e\x0e" | /usr/bin/iconv -c -f IBM1364
Note that the second test needs glibc-i18ndata.

Going with Herman - this looks good.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 6 Thomas Andrews 2021-06-27 02:54:08 CEST
Good enough for me. Validating.Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2021-06-28 21:15:38 CEST
Assigning.
Advisory committed.

CC: (none) => ouaurelien
CVE: (none) => CVE-2016-10228
Status: REOPENED => ASSIGNED
Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-06-28 23:18:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0289.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.