The out of bounds stack read in libidn (CVE-2016-6261) is also present in glibc code, and so far unpatched there.
Fix from libidn:
@Security, can we add to CVE please.
Gentoo Security Padawan
Daj Uan (jmbailey)
@Toolchain, I'm creating a tracker for this CVE, could you please confirm if glibc is affected by any of the other two CVEs?
Patch added to gentoo/2.25 and gentoo/2.26 branch
(In reply to Andreas K. Hüttel from comment #3)
> Patch added to gentoo/2.25 and gentoo/2.26 branch
which particular revision contains the fixes?
2.25-r8 and 2.26-r2?
(In reply to Aaron Bauman from comment #4)
> (In reply to Andreas K. Hüttel from comment #3)
> > Patch added to gentoo/2.25 and gentoo/2.26 branch
> which particular revision contains the fixes?
> 2.25-r8 and 2.26-r2?
None so far, only our git repo...
I'll add the info as soon as I make a revbump.
The bug has been referenced in the following commit(s):
Author: Andreas K. Hüttel <firstname.lastname@example.org>
AuthorDate: 2017-10-27 23:30:07 +0000
Commit: Andreas K. Hüttel <email@example.com>
CommitDate: 2017-10-27 23:30:19 +0000
sys-libs/glibc: Revision bump to 2.25 patchlevel 12, unkeyworded so far
Resolves CVE-2017-15670, CVE-2017-15804, CVE-2016-6261
Package-Manager: Portage-2.3.13, Repoman-2.3.4
sys-libs/glibc/Manifest | 1 +
sys-libs/glibc/glibc-2.25-r9.ebuild | 154 ++++++++++++++++++++++++++++++++++++
2 files changed, 155 insertions(+)}
I suspect that this has been introduced in -r9?
make subdir=libidn -C libidn ..=../ tests
make: Entering directory '/var/tmp/portage/sys-libs/glibc-2.25-r9/work/glibc-2.25/libidn'
make: *** No rule to make target '/var/tmp/portage/sys-libs/glibc-2.25-r9/work/build-sparc32-sparc-unknown-linux-gnu-nptl/libidn/check-abi-libcidn.out', needed by 'tests'.
make: Target 'tests' not remade because of errors.
make: Leaving directory '/var/tmp/portage/sys-libs/glibc-2.25-r9/work/glibc-2.25/libidn'
make: *** [Makefile:216: libidn/tests] Error 2
All vulnerable versions are masked. No further cleanup (toolchain package).
Nothing to do for toolchain here anymore.
GLSA Vote: No