Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 622226 (CVE-2017-1000376)

Summary: <dev-libs/libffi-3.2: arbitrary code execution by overwriting the stack (CVE-2017-1000376)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: major CC: alexander, ch4os
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-19 15:23:38 UTC
CVE-2017-1000376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000376):
  libffi requests an executable stack allowing attackers to more easily
  trigger arbitrary code execution by overwriting the stack. Please note that
  libffi is used by a number of other libraries. This affects libffi version
  3.2.1.
Comment 1 Matthias Maier gentoo-dev 2017-06-21 21:52:01 UTC
commit 6acaa7787fa53d19b19c0f193b24969a5641a315 (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 21 16:42:23 2017 -0500

    dev-libs/libffi: drop old versions, bug #622226
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 2 Alexander Tsoy 2017-06-21 22:22:01 UTC
Do we need a patch for arm64?
https://src.fedoraproject.org/cgit/rpms/libffi.git/tree/libffi-3.1-aarch64-fix-exec-stack.patch
Comment 3 Teika kazura 2017-09-06 23:33:32 UTC
According to nvd, last modified 2017-06-28 [1]:

It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376

Regards.
Comment 4 D'juan McDonald (domhnall) 2017-10-31 22:40:47 UTC
@security, will this require a GLSA request/release?

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2017-12-09 22:52:34 UTC
(In reply to Teika kazura from comment #3)
> According to nvd, last modified 2017-06-28 [1]:
> 
> It was previously stated that this affects libffi version 3.2.1 but this
> appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems
> was vulnerable, and upstream is believed to have fixed this issue in version
> 3.1.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376
> 
> Regards.

Nothing to do for toolchain here anymore.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-19 13:59:35 UTC
(In reply to Teika kazura from comment #3)
> According to nvd, last modified 2017-06-28 [1]:
> 
> It was previously stated that this affects libffi version 3.2.1 but this
> appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems
> was vulnerable, and upstream is believed to have fixed this issue in version
> 3.1.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376
No, we are looking for commit https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d. And this commit appeared for the first time in libffi-3.2 release. Otherwise, Qualys would have failed to use this flaw in Debian 8 because Debian 8 was already at version 3.1.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-19 14:06:32 UTC
Closing this bug as invalid because Gentoo was not affected: Gentoo was already at unaffected >=libffi-3.2.1 version via bug 580616 when this vulnerability got reported.