33953 – glibc new security issue CVE-2025-0395

Bug 33953 - glibc new security issue CVE-2025-0395

Summary: glibc new security issue CVE-2025-0395

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-32-OK MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-01-23 09:47 CET by Nicolas Salguero
Modified:	2025-01-26 04:21 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	glibc-2.36-54.mga9.src.rpm
CVE:	CVE-2025-0395
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-01-23 09:47:16 CET

CVE-2025-0395 was announced here:
https://www.openwall.com/lists/oss-security/2025/01/22/4

Fix:
  - for 2.40 (Cauldron): https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c
  - for 2.36 (Mga9): https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845

Nicolas Salguero 2025-01-23 09:48:00 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => glibc-2.40-1.mga10.src.rpm, glibc-2.36-54.mga9.src.rpm
CVE: (none) => CVE-2025-0395
Status comment: (none) => Patches available from upstream

Comment 1 Nicolas Salguero 2025-01-23 11:54:01 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. (CVE-2025-0395)

References:
https://www.openwall.com/lists/oss-security/2025/01/22/4
========================

Updated packages in core/updates_testing:
========================
glibc-2.36-55.mga9
glibc-devel-2.36-55.mga9
glibc-doc-2.36-55.mga9.noarch.rpm
glibc-i18ndata-2.36-55.mga9
glibc-profile-2.36-55.mga9
glibc-static-devel-2.36-55.mga9
glibc-utils-2.36-55.mga9
nscd-2.36-55.mga9

from SRPM:
glibc-2.36-55.mga9.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Assignee: bugsquad => qa-bugs
Status comment: Patches available from upstream => (none)
Source RPM: glibc-2.40-1.mga10.src.rpm, glibc-2.36-54.mga9.src.rpm => glibc-2.36-54.mga9.src.rpm
Whiteboard: MGA9TOO => (none)

Comment 2 Brian Rockwell 2025-01-23 19:40:09 CET

MGA9-64, Xfce, Asus Laptop

AMD A6-9225 RADEON R4
RTL8723BE 
Bluetooth


The following 2 packages are going to be installed:

- glibc-2.36-55.mga9.x86_64
- nscd-2.36-55.mga9.x86_64

0B of additional disk space will be used.


---- rebooted

lived with it for awhile - no issues on my end

CC: (none) => brtians1

PC LX 2025-01-23 20:21:05 CET

CC: (none) => mageia

Comment 3 Thomas Andrews 2025-01-24 01:22:55 CET

MGA9-64 Plasma, I5-7500, Nvidia Quadro K620 graphics. Updated glibc, glibc-devel, and nscd. Rebooted without issues, so far. Will use it for a while before declaring it OK.

Glibc is so basic to Mageia operation that we should have some 32-bit tests in addition to 64, and as many systems of both arches as reasonably possible.

CC: (none) => andrewsfarm

katnatek 2025-01-24 01:34:10 CET

Keywords: (none) => advisory

Comment 4 Morgan Leijström 2025-01-24 12:05:06 CET

x86_64 OK here; glibc, glibc-devel, and nscd updated on three Plasma systems

i586 OK here:
Updated incl all in testing on Thinpkad T43, LXDE:
Used for a while with Firefox, Libreoffice, our (old) nextcloud-client
Also suspend-resume, and hiobernate-restore OK incl wifi (using networkmanager)

CC: (none) => fri

Comment 5 Herman Viaene 2025-01-24 15:41:15 CET

MGA9-64 Plasma Wayland on Coompaq H000SB
No installation issues.
Did a cold restart after installation.
Web access OK (wireless), Updating this bug.
Tested different document types, pictures, music, video, no problems encountered.

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2025-01-24 15:47:03 CET

MGA9-32, AMD A6-3420M APU with Radeon(tm) HD Graphics, old Laptop

The following 2 packages are going to be installed:

- glibc-2.36-55.mga9.i586
- nscd-2.36-55.mga9.i586


---rebooted

spending time using firefox, etc.  - working

Comment 7 katnatek 2025-01-25 17:40:06 CET

RH i586

installing glibc-2.36-55.mga9.i586.rpm glibc-utils-2.36-55.mga9.i586.rpm glibc-devel-2.36-55.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     #######################################################################################
      1/3: glibc                 #######################################################################################
      2/3: glibc-devel           #######################################################################################
      3/3: glibc-utils           #######################################################################################
      1/3: removing glibc-utils-6:2.36-54.mga9.i586
                                 #######################################################################################
      2/3: removing glibc-devel-6:2.36-54.mga9.i586
                                 #######################################################################################
      3/3: removing glibc-6:2.36-54.mga9.i586
                                 #######################################################################################
You should restart your computer for glibc
restarting urpmi


installing glibc-doc-2.36-55.mga9.noarch.rpm nscd-2.36-55.mga9.i586.rpm glibc-i18ndata-2.36-55.mga9.i586.rpm glibc-profile-2.36-55.mga9.i586.rpm from //home/katnatek/qa-testing/i586
Preparing...                     #######################################################################################
      1/4: glibc-profile         #######################################################################################
      2/4: glibc-i18ndata        #######################################################################################
      3/4: glibc-doc             #######################################################################################
      4/4: nscd                  #######################################################################################
      1/4: removing glibc-profile-6:2.36-54.mga9.i586
                                 #######################################################################################
      2/4: removing glibc-i18ndata-6:2.36-54.mga9.i586
                                 #######################################################################################
      3/4: removing nscd-6:2.36-54.mga9.i586
                                 #######################################################################################
      4/4: removing glibc-doc-6:2.36-54.mga9.noarch
                                 #######################################################################################


Reboot

Not issues to report after use the system for a while

Comment 8 katnatek 2025-01-25 17:59:05 CET

RH x86_64

installing glibc-2.36-55.mga9.x86_64.rpm glibc-devel-2.36-55.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: glibc                 ##################################################################################################
      2/2: glibc-devel           ##################################################################################################
      1/2: removing glibc-devel-6:2.36-54.mga9.x86_64
                                 ##################################################################################################
      2/2: removing glibc-6:2.36-54.mga9.x86_64
                                 ##################################################################################################
You should restart your computer for glibc
Error: Missing /usr/lib64/gconv/gconv-modules.cache file.n

The last message is already reported bug#31909
not additional things to report
The system works as usual after reboot

Comment 9 Thomas Andrews 2025-01-26 00:36:33 CET

MGA9-32 on Foolishness, my Dell Inspiron 5100, P4, radeon RV200 graphics. Tested with both the desktop and desktop586 kernels.

No installation issues with either kernel, and no issues apparent after the reboot.

Comment 10 Thomas Andrews 2025-01-26 00:37:32 CET

More than enough tests, I think. Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2025-01-26 04:21:08 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0026.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.