Bug 622226 (CVE-2017-1000376)

Summary:	<dev-libs/libffi-3.2: arbitrary code execution by overwriting the stack (CVE-2017-1000376)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	major	CC:	alexander, ch4os
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 [noglsa cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2017-06-19 15:23:38 UTC

CVE-2017-1000376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000376):
  libffi requests an executable stack allowing attackers to more easily
  trigger arbitrary code execution by overwriting the stack. Please note that
  libffi is used by a number of other libraries. This affects libffi version
  3.2.1.

Comment 1 Matthias Maier gentoo-dev

2017-06-21 21:52:01 UTC

commit 6acaa7787fa53d19b19c0f193b24969a5641a315 (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 21 16:42:23 2017 -0500

    dev-libs/libffi: drop old versions, bug #622226
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2

Comment 2 Alexander Tsoy 2017-06-21 22:22:01 UTC

Do we need a patch for arm64?
https://src.fedoraproject.org/cgit/rpms/libffi.git/tree/libffi-3.1-aarch64-fix-exec-stack.patch

Comment 3 Teika kazura 2017-09-06 23:33:32 UTC

According to nvd, last modified 2017-06-28 [1]:

It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376

Regards.

Comment 4 D'juan McDonald (domhnall) 2017-10-31 22:40:47 UTC

@security, will this require a GLSA request/release?

Gentoo Security Padawan
(jmbailey/mbailey_j)

Comment 5 Andreas K. Hüttel archtester

2017-12-09 22:52:34 UTC

(In reply to Teika kazura from comment #3)
> According to nvd, last modified 2017-06-28 [1]:
> 
> It was previously stated that this affects libffi version 3.2.1 but this
> appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems
> was vulnerable, and upstream is believed to have fixed this issue in version
> 3.1.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376
> 
> Regards.

Nothing to do for toolchain here anymore.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-19 13:59:35 UTC

(In reply to Teika kazura from comment #3)
> According to nvd, last modified 2017-06-28 [1]:
> 
> It was previously stated that this affects libffi version 3.2.1 but this
> appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems
> was vulnerable, and upstream is believed to have fixed this issue in version
> 3.1.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376
No, we are looking for commit https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d. And this commit appeared for the first time in libffi-3.2 release. Otherwise, Qualys would have failed to use this flaw in Debian 8 because Debian 8 was already at version 3.1.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-19 14:06:32 UTC

Closing this bug as invalid because Gentoo was not affected: Gentoo was already at unaffected >=libffi-3.2.1 version via bug 580616 when this vulnerability got reported.