622226 – (CVE-2017-1000376) <dev-libs/libffi-3.2: arbitrary code execution by overwriting the stack (CVE-2017-1000376)

Bug 622226 (CVE-2017-1000376) - <dev-libs/libffi-3.2: arbitrary code execution by overwriting the stack (CVE-2017-1000376)

Summary: <dev-libs/libffi-3.2: arbitrary code execution by overwriting the stack (CVE-...

Status:	RESOLVED INVALID

Alias:	CVE-2017-1000376

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-06-19 15:23 UTC by GLSAMaker/CVETool Bot
Modified:	2018-01-19 14:06 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2017-06-19 15:23:38 UTC

CVE-2017-1000376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000376):
  libffi requests an executable stack allowing attackers to more easily
  trigger arbitrary code execution by overwriting the stack. Please note that
  libffi is used by a number of other libraries. This affects libffi version
  3.2.1.

Comment 1 Matthias Maier gentoo-dev

2017-06-21 21:52:01 UTC

commit 6acaa7787fa53d19b19c0f193b24969a5641a315 (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 21 16:42:23 2017 -0500

    dev-libs/libffi: drop old versions, bug #622226
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2

Comment 2 Alexander Tsoy 2017-06-21 22:22:01 UTC

Do we need a patch for arm64?
https://src.fedoraproject.org/cgit/rpms/libffi.git/tree/libffi-3.1-aarch64-fix-exec-stack.patch

Comment 3 Teika kazura 2017-09-06 23:33:32 UTC

According to nvd, last modified 2017-06-28 [1]:

It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376

Regards.

Comment 4 D'juan McDonald (domhnall) 2017-10-31 22:40:47 UTC

@security, will this require a GLSA request/release?

Gentoo Security Padawan
(jmbailey/mbailey_j)

Comment 5 Andreas K. Hüttel archtester

2017-12-09 22:52:34 UTC

(In reply to Teika kazura from comment #3)
> According to nvd, last modified 2017-06-28 [1]:
> 
> It was previously stated that this affects libffi version 3.2.1 but this
> appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems
> was vulnerable, and upstream is believed to have fixed this issue in version
> 3.1.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376
> 
> Regards.

Nothing to do for toolchain here anymore.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-19 13:59:35 UTC

(In reply to Teika kazura from comment #3)
> According to nvd, last modified 2017-06-28 [1]:
> 
> It was previously stated that this affects libffi version 3.2.1 but this
> appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems
> was vulnerable, and upstream is believed to have fixed this issue in version
> 3.1.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376
No, we are looking for commit https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d. And this commit appeared for the first time in libffi-3.2 release. Otherwise, Qualys would have failed to use this flaw in Debian 8 because Debian 8 was already at version 3.1.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2018-01-19 14:06:32 UTC

Closing this bug as invalid because Gentoo was not affected: Gentoo was already at unaffected >=libffi-3.2.1 version via bug 580616 when this vulnerability got reported.