Bug 29928 - Update request: glibc-2.32-23.mga8
Summary: Update request: glibc-2.32-23.mga8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK MGA8-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2022-01-22 20:21 CET by Thomas Backlund
Modified: 2022-01-23 21:50 CET (History)
3 users (show)

See Also:
Source RPM: glibc
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2022-01-22 20:21:25 CET 
Security fixes:

The deprecated compatibility function svcunix_create in the sunrpc module
of the GNU C Library (aka glibc) through 2.34 copies its path argument on
the stack without validating its length, which may result in a buffer
overflow, potentially resulting in a denial of service or (if an application
is not built with a stack protector enabled) arbitrary code execution
(CVE-2022-23218).

The deprecated compatibility function clnt_create in the sunrpc module of
the GNU C Library (aka glibc) through 2.34 copies its hostname argument on
the stack without validating its length, which may result in a buffer
overflow, potentially resulting in a denial of service or (if an
application is not built with a stack protector enabled) arbitrary code
execution (CVE-2022-23219).


SRPM:
glibc-2.32-23.mga8.src.rpm


i586:
glibc-2.32-23.mga8.i586.rpm
glibc-devel-2.32-23.mga8.i586.rpm
glibc-doc-2.32-23.mga8.noarch.rpm
glibc-i18ndata-2.32-23.mga8.i586.rpm
glibc-profile-2.32-23.mga8.i586.rpm
glibc-static-devel-2.32-23.mga8.i586.rpm
glibc-utils-2.32-23.mga8.i586.rpm
nscd-2.32-23.mga8.i586.rpm


x86_&4:
glibc-2.32-23.mga8.x86_64.rpm
glibc-devel-2.32-23.mga8.x86_64.rpm
glibc-doc-2.32-23.mga8.noarch.rpm
glibc-i18ndata-2.32-23.mga8.x86_64.rpm
glibc-profile-2.32-23.mga8.x86_64.rpm
glibc-static-devel-2.32-23.mga8.x86_64.rpm
glibc-utils-2.32-23.mga8.x86_64.rpm
nscd-2.32-23.mga8.x86_64.rpm
Comment 1 Len Lawrence 2022-01-22 21:53:17 CET 
x86_64, Mate
Updated the eight packages via qarepo/MageiaUpdate and rebooted smoothly.
$ rpm -qa | grep glibc
glibc-static-devel-2.32-23.mga8
glibc-profile-2.32-23.mga8
glibc-2.32-23.mga8
glibc-utils-2.32-23.mga8
glibc-i18ndata-2.32-23.mga8
glibc-doc-2.32-23.mga8
glibc-devel-2.32-23.mga8
$ rpm -q nscd
nscd-2.32-23.mga8

Everything looks fine.  Nothing suspicious in dmesg.  Giving this an OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Thomas Andrews 2022-01-22 22:05:36 CET

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Andrews 2022-01-22 22:06:34 CET

Keywords: validated_update => (none)

Comment 2 Thomas Andrews 2022-01-22 22:25:20 CET 
(First validation was a slip of the mouse...)

Since this is so fundamental, also tested on real 32-bit hardware: Foolishness, my Dell Inspiron 5100, 32-bit P4, Xfce system.

Updated via qarepo, and rebooted. Everything looks good here, too. Giving it a 32-bit OK and validating.

Keywords: (none) => validated_update
Whiteboard: MGA8-64-OK => MGA8-64-OK MGA8-32-OK

Comment 3 Mageia Robot 2022-01-23 21:50:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0028.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.