Bug 8934 - coreutils new security issues CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
: coreutils new security issues CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/535735/
: has_procedure mga2-32-OK mga2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-01 19:49 CET by David Walser
Modified: 2013-02-13 00:53 CET (History)
3 users (show)

See Also:
Source RPM: coreutils
CVE:


Attachments

Description David Walser 2013-02-01 19:49:13 CET
Fedora has issued an advisory on January 25:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097837.html

These issues are caused by the i18n patch, which we appear to have.

Mageia 2 would also be affected.
Comment 1 David Walser 2013-02-01 22:40:12 CET
It appears the master branch in Fedora git had the exact same i18n patch we do in Cauldron.  The updated one for version 8.20 is here:
http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch

Fedora 17 has the same coreutils version we do, 8.15.  Their i18n patch there was almost exactly the same as ours, but not quite exactly.  Here's the updated one for 8.15:
http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch?h=f17&id=7491020ff9f0c45480b5b365823a58c869df7552

I have committed them to SVN for Mageia 2 and Cauldron, but I'll wait for Thomas to give the go-ahead to push them to the build system.
Comment 2 Thomas Backlund 2013-02-09 00:31:59 CET
Looks ok, Go ahead and push them...
Comment 3 David Walser 2013-02-09 03:04:09 CET
Thanks Thomas!

Fixed packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated coreutils packages fix security vulnerabilities:

It was reported that the sort command suffered from a segfault when processing
input streams that contained extremely long strings when used with the -d and
-M switches (CVE-2013-0221).

It was reported that the uniq command suffered from a segfault when processing
input streams that contained extremely long strings (CVE-2013-0222).

It was reported that the join command suffered from a segfault when processing
input streams that contained extremely long strings when used with the -i
switch (CVE-2013-0223).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0223
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097837.html
========================

Updated packages in core/updates_testing:
========================
coreutils-8.15-1.2.mga2
coreutils-doc-8.15-1.2.mga2

from coreutils-8.15-1.2.mga2.src.rpm
Comment 5 Carolyn Rowse 2013-02-10 10:46:18 CET
Tested i586 in VM.

CVE-2013-0221: unable to reproduce bug

CVE-2013-0222 and CVE-2013-0223: bugs reproduced; bugs gone after update.

Carolyn
Comment 6 claire robinson 2013-02-10 12:29:43 CET
Could you add the relevant whiteboard keyword please Carolyn.
https://wiki.mageia.org/en/QA_process_for_validating_updates

Thankyou :)
Comment 7 Carolyn Rowse 2013-02-10 16:33:25 CET
Now testing 64-bit.

Carolyn
Comment 8 Carolyn Rowse 2013-02-10 16:52:09 CET
Testing complete on 64-bit.

All bugs verified before update.
All bugs gone after update.


Update validated.

See comment 3 for advisory and SRPM.

Could sysadmin please push from core/updates_testing to core/updates.

Thank you.

Carolyn
Comment 9 Thomas Backlund 2013-02-13 00:53:11 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0048

Note You need to log in before you can comment on or make changes to this bug.