Security fixes: The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution (CVE-2022-23218). The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution (CVE-2022-23219). SRPM: glibc-2.32-23.mga8.src.rpm i586: glibc-2.32-23.mga8.i586.rpm glibc-devel-2.32-23.mga8.i586.rpm glibc-doc-2.32-23.mga8.noarch.rpm glibc-i18ndata-2.32-23.mga8.i586.rpm glibc-profile-2.32-23.mga8.i586.rpm glibc-static-devel-2.32-23.mga8.i586.rpm glibc-utils-2.32-23.mga8.i586.rpm nscd-2.32-23.mga8.i586.rpm x86_&4: glibc-2.32-23.mga8.x86_64.rpm glibc-devel-2.32-23.mga8.x86_64.rpm glibc-doc-2.32-23.mga8.noarch.rpm glibc-i18ndata-2.32-23.mga8.x86_64.rpm glibc-profile-2.32-23.mga8.x86_64.rpm glibc-static-devel-2.32-23.mga8.x86_64.rpm glibc-utils-2.32-23.mga8.x86_64.rpm nscd-2.32-23.mga8.x86_64.rpm
x86_64, Mate Updated the eight packages via qarepo/MageiaUpdate and rebooted smoothly. $ rpm -qa | grep glibc glibc-static-devel-2.32-23.mga8 glibc-profile-2.32-23.mga8 glibc-2.32-23.mga8 glibc-utils-2.32-23.mga8 glibc-i18ndata-2.32-23.mga8 glibc-doc-2.32-23.mga8 glibc-devel-2.32-23.mga8 $ rpm -q nscd nscd-2.32-23.mga8 Everything looks fine. Nothing suspicious in dmesg. Giving this an OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: validated_update => (none)
(First validation was a slip of the mouse...) Since this is so fundamental, also tested on real 32-bit hardware: Foolishness, my Dell Inspiron 5100, 32-bit P4, Xfce system. Updated via qarepo, and rebooted. Everything looks good here, too. Giving it a 32-bit OK and validating.
Keywords: (none) => validated_updateWhiteboard: MGA8-64-OK => MGA8-64-OK MGA8-32-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0028.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED