Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635010 - <sys-libs/glibc-2.25-r9: out of bounds stack read in libidn (CVE-2016-6261)
Summary: <sys-libs/glibc-2.25-r9: out of bounds stack read in libidn (CVE-2016-6261)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on: 637140
Blocks: CVE-2015-8948, CVE-2016-6261, CVE-2016-6262, CVE-2016-6263
  Show dependency tree
 
Reported: 2017-10-21 18:00 UTC by Andreas K. Hüttel
Modified: 2018-03-27 02:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas K. Hüttel gentoo-dev 2017-10-21 18:00:05 UTC
The out of bounds stack read in libidn (CVE-2016-6261) is also present in glibc code, and so far unpatched there.

CVE:
https://nvd.nist.gov/vuln/detail/CVE-2016-6261

Fix from libidn:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d
Comment 1 D'juan McDonald (domhnall) 2017-10-22 08:19:36 UTC
@Security, can we add to CVE please.

Gentoo Security Padawan
Daj Uan (jmbailey)
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-23 02:11:57 UTC
@Toolchain, I'm creating a tracker for this CVE, could you please confirm if glibc is affected by any of the other two CVEs?

Thank you
Comment 3 Andreas K. Hüttel gentoo-dev 2017-10-25 22:01:51 UTC
Patch added to gentoo/2.25 and gentoo/2.26 branch
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-26 00:24:56 UTC
(In reply to Andreas K. Hüttel from comment #3)
> Patch added to gentoo/2.25 and gentoo/2.26 branch

which particular revision contains the fixes?

2.25-r8 and 2.26-r2?
Comment 5 Andreas K. Hüttel gentoo-dev 2017-10-26 08:01:30 UTC
(In reply to Aaron Bauman from comment #4)
> (In reply to Andreas K. Hüttel from comment #3)
> > Patch added to gentoo/2.25 and gentoo/2.26 branch
> 
> which particular revision contains the fixes?
> 
> 2.25-r8 and 2.26-r2?

None so far, only our git repo... 

I'll add the info as soon as I make a revbump.
Comment 6 Larry the Git Cow gentoo-dev 2017-10-27 23:30:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d93339d7f5bfe90901a8c6921d1c221b54c8302a

commit d93339d7f5bfe90901a8c6921d1c221b54c8302a
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2017-10-27 23:30:07 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2017-10-27 23:30:19 +0000

    sys-libs/glibc: Revision bump to 2.25 patchlevel 12, unkeyworded so far
    
    Resolves CVE-2017-15670, CVE-2017-15804, CVE-2016-6261
    
    Bug: https://bugs.gentoo.org/634920
    Bug: https://bugs.gentoo.org/635010
    Bug: https://bugs.gentoo.org/635118
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 sys-libs/glibc/Manifest             |   1 +
 sys-libs/glibc/glibc-2.25-r9.ebuild | 154 ++++++++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)}
Comment 7 Rolf Eike Beer 2017-11-14 16:53:35 UTC
I suspect that this has been introduced in -r9?

make  subdir=libidn -C libidn ..=../ tests
make[2]: Entering directory '/var/tmp/portage/sys-libs/glibc-2.25-r9/work/glibc-2.25/libidn'
make[2]: *** No rule to make target '/var/tmp/portage/sys-libs/glibc-2.25-r9/work/build-sparc32-sparc-unknown-linux-gnu-nptl/libidn/check-abi-libcidn.out', needed by 'tests'.
make[2]: Target 'tests' not remade because of errors.
make[2]: Leaving directory '/var/tmp/portage/sys-libs/glibc-2.25-r9/work/glibc-2.25/libidn'
make[1]: *** [Makefile:216: libidn/tests] Error 2
Comment 8 Andreas K. Hüttel gentoo-dev 2017-11-29 12:01:33 UTC
All vulnerable versions are masked. No further cleanup (toolchain package). 
Nothing to do for toolchain here anymore.
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-03-27 02:33:53 UTC
GLSA Vote: No