Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574880 (CVE-2015-7547) - <sys-libs/glibc-2.21-r2: stack overflow in getaddrinfo (CVE-2015-7547)
Summary: <sys-libs/glibc-2.21-r2: stack overflow in getaddrinfo (CVE-2015-7547)
Status: RESOLVED FIXED
Alias: CVE-2015-7547
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 2 votes (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/ml/libc-alpha/...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2014-8121
  Show dependency tree
 
Reported: 2016-02-16 14:22 UTC by Hanno Böck
Modified: 2016-02-24 15:36 UTC (History)
29 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch for sys-libs/glibc-2.22-r1 (CVE-2015-7547.patch,23.30 KB, patch)
2016-02-16 19:21 UTC, Matt Whitlock
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Matthias Maier gentoo-dev 2016-02-16 16:04:13 UTC
The Debian Security Advisory for CVE-2015-7547 [1] lists 3 more CVEs for glibc:

  CVE-2015-8776
  CVE-2015-8778
  CVE-2015-8779

[1] https://lists.debian.org/debian-security-announce/2016/msg00051.html
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2016-02-16 16:40:17 UTC
Just to get everyone on the same page: Sorry for not filing a bug earlier. We have been aware of this vulnerability through the pre-notification channels. We had already discussed with vapier that we will provide an updated package once the issue is released, instead of preparing a package based on the non-final patches.
Comment 3 Hanno Böck gentoo-dev 2016-02-16 16:43:40 UTC
"we will provide an updated package once the issue is released, instead of preparing a package based on the non-final patches."

What do you mean by that? The issue is released, there is an official patch from the glibc developers.

Do you mean you want to wait until there is an updated glibc release? I don't know if that's going to happen any time soon, the announcement doesn't say anything about that (based on past experiences glibc releases don't automatically happen after security issues). And I think this issue is definitely severe enough that an update should happen within hours, not days.
Comment 4 SpanKY gentoo-dev 2016-02-16 17:14:23 UTC
i'm taking care of it.  don't bother kicking over semantics.
Comment 5 Agostino Sarubbo gentoo-dev 2016-02-16 17:20:56 UTC
(In reply to Matthias Maier from comment #1)
> The Debian Security Advisory for CVE-2015-7547 [1] lists 3 more CVEs for
> glibc:
> 
>   CVE-2015-8776
>   CVE-2015-8778
>   CVE-2015-8779
> 
> [1] https://lists.debian.org/debian-security-announce/2016/msg00051.html

they are reported in bug 572416
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2016-02-16 17:37:23 UTC
(In reply to Hanno Boeck from comment #3)
> "we will provide an updated package once the issue is released, instead of
> preparing a package based on the non-final patches."
> 
> What do you mean by that? The issue is released, there is an official patch
> from the glibc developers.
> 
> Do you mean you want to wait until there is an updated glibc release? I
> don't know if that's going to happen any time soon, the announcement doesn't
> say anything about that (based on past experiences glibc releases don't
> automatically happen after security issues). And I think this issue is
> definitely severe enough that an update should happen within hours, not
> days.

I mean that, for severe issues like this one, we usually prepare updated packages during the embargo period so that we are ready to commit it *the minute* it is released. In this case we didn't do that, and seeing that multiple people have already pinged us about whether we're aware of this bug, I merely wanted to assure everyone that we're aware and that a fixed package will be available soon. :)

Sorry about the confusion.
Comment 7 Luke-Jr 2016-02-16 18:07:45 UTC
In the meantime, I backported the patch from https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html to apply cleanly to at least sys-libs/glibc-2.21-r1
Throw http://codepad.org/NiV9JoCF in /etc/portage/patches/sys-libs/glibc/CVE-2015-7547.patch and re-emerge glibc.

Disclaimer: I am not a security expert, and have not reviewed the patch's logic at all. Use at your own risk, and definitely upgrade to the official Gentoo fix as soon as it is released (don't forget to remove the /etc/portage/patches/... file!).
Comment 8 SpanKY gentoo-dev 2016-02-16 19:04:26 UTC
the fix is included in glibc-2.21-r2 so it should be easier/safer to stabilize (rather than jump 2.21 to 2.22)
Comment 9 Matt Whitlock 2016-02-16 19:21:36 UTC
Created attachment 425664 [details, diff]
patch for sys-libs/glibc-2.22-r1

Here is the patch from upstream, rebased to apply to sys-libs/glibc-2.22-r1 in the Portage tree. (I just had to add four additional lines for the patch to delete. Luke-Jr's patch from Comment 7 did not apply cleanly to 2.22-r1.)

Drop this patch into /etc/portage/patches/sys-libs/glibc-2.22-r1/CVE-2015-7547.patch and re-emerge sys-libs/glibc.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2016-02-16 19:35:58 UTC
(In reply to SpanKY from comment #8)
> the fix is included in glibc-2.21-r2 so it should be easier/safer to
> stabilize (rather than jump 2.21 to 2.22)

Thanks!

Arches, please test and mark stable:
=sys-libs/glibc-2.22-r1
Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2016-02-16 19:38:37 UTC
(In reply to Tobias Heinlein from comment #10)
> (In reply to SpanKY from comment #8)
> > the fix is included in glibc-2.21-r2 so it should be easier/safer to
> > stabilize (rather than jump 2.21 to 2.22)
> 
> Thanks!
> 
> Arches, please test and mark stable:
> =sys-libs/glibc-2.22-r1
> Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh
> sparc x86"

Sorry, I meant 2.21-r2 of course.
Comment 12 Tobias Klausmann gentoo-dev 2016-02-16 19:49:50 UTC
(In reply to Tobias Heinlein from comment #11)
> Sorry, I meant 2.21-r2 of course.

Any ETA for a 2.22-r2?
Comment 13 SpanKY gentoo-dev 2016-02-16 20:51:01 UTC
(In reply to Tobias Klausmann from comment #12)

2.22-r2 will need to bake for 30 days.  there's some locale changes in there.
Comment 14 Richard Freeman gentoo-dev 2016-02-17 12:34:39 UTC
amd64 stable

(helpful tip - if you do your commits using repoman commit you'll spot invalid copyrights)
Comment 15 Lars Wendler (Polynomial-C) gentoo-dev 2016-02-17 14:44:04 UTC
x86 stable


Another helpful tip for users: If the build fails for you, try MAKEOPTS="-j1". See bug #574948 for details.
Comment 16 Agostino Sarubbo gentoo-dev 2016-02-17 15:24:57 UTC
Stable for alpha/arm/ia64/ppc/ppc64/sparc
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-02-17 15:39:16 UTC
This issue was resolved and addressed in
 GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2016-02-17 15:41:03 UTC
Reopening for remaining arches.
Comment 19 SpanKY gentoo-dev 2016-02-17 16:47:39 UTC
i've done the remaining arches