Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589832 (CVE-2016-6264) - <sys-libs/uclibc-ng-1.0.16: ARM arch: code execution
Summary: <sys-libs/uclibc-ng-1.0.16: ARM arch: code execution
Status: RESOLVED FIXED
Alias: CVE-2016-6264
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-27 10:19 UTC by Agostino Sarubbo
Modified: 2017-06-03 18:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-27 10:19:57 UTC
From ${URL} :

Hi all,

u-clibc and uclibc-ng is used in several projects[4, 5].

As described here[3], an attacker that controls the length parameter of
the `memset' can also control the value of the PC register. The issue is
similar to CVE-2011-2702. A patch has been proposed for uclibc-ng[1]. A
denial of service proof of concept is available[2].

Thanks,
Lucian

[1]http://repo.or.cz/uclibc-ng.git/commit/e3848e3dd64a8d6437531488fe341354bc02eaed
[2]http://article.gmane.org/gmane.comp.lib.uclibc-ng/27
[3]http://mailman.uclibc-ng.org/pipermail/devel/2016-May/000890.html
[4]https://www.uclibc.org/products.html
[5]http://www.uclibc-ng.org/



@security: please file the request for the GLSA.
Comment 1 Anthony Basile gentoo-dev 2016-07-27 19:05:39 UTC
This fix is in uclibc-ng-1.0.16 which is the only version in the tree, except for the live ebuild.  So all the vulnerable versions have been removed already.
Comment 2 Alessandro Di Federico 2016-08-18 20:54:41 UTC
Hi, I just found this vulnerability independently yesterday.

(In reply to Anthony Basile from comment #1)
> This fix is in uclibc-ng-1.0.16 which is the only version in the tree,
> except for the live ebuild.  So all the vulnerable versions have been
> removed already.

What about sys-libs/uclibc? It's in-tree and not patched. Also, all the ARM-based uClibc crossdev toolchains are affected, I think quite some people use it to statically link stuff.
The uClibc ARM tarballs are still affected by this bug [1] too.

uClibc's latest release dates back to 15 May 2012, maybe we should estimate the effort of dropping uClibc completely in favor of uClibc-ng. Has it ever been tried?

[1] http://distfiles.gentoo.org/experimental/arm/uclibc/
Comment 3 Anthony Basile gentoo-dev 2016-08-18 22:20:30 UTC
(In reply to Alessandro Di Federico from comment #2)
> Hi, I just found this vulnerability independently yesterday.
> 
> (In reply to Anthony Basile from comment #1)
> > This fix is in uclibc-ng-1.0.16 which is the only version in the tree,
> > except for the live ebuild.  So all the vulnerable versions have been
> > removed already.
> 
> What about sys-libs/uclibc? It's in-tree and not patched. Also, all the
> ARM-based uClibc crossdev toolchains are affected, I think quite some people
> use it to statically link stuff.
> The uClibc ARM tarballs are still affected by this bug [1] too.
> 
> uClibc's latest release dates back to 15 May 2012, maybe we should estimate
> the effort of dropping uClibc completely in favor of uClibc-ng. Has it ever
> been tried?
> 
> [1] http://distfiles.gentoo.org/experimental/arm/uclibc/

There is only so much of me to go around.  I will be abandoning sys-libs/uclibc in about 1 month.  I simply cannot maintain more and do my real life work.
Comment 4 Thomas Deutschmann gentoo-dev 2016-11-18 19:47:59 UTC
@ Security: Please vote.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-04-19 05:44:11 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.

Blueness based on your comments can you please post if anyone would like to maintain the package.
Comment 6 Anthony Basile gentoo-dev 2017-04-19 15:22:10 UTC
(In reply to Yury German from comment #5)
> Arches and Maintainer(s), Thank you for your work.
> New GLSA Request filed.
> 
> Blueness based on your comments can you please post if anyone would like to
> maintain the package.

I don't think we can remove uclibc just yet.  uclibc-ng has not yet mature to that point.  I would say by August I can make a full cleanup.
Comment 7 Thomas Deutschmann gentoo-dev 2017-06-03 18:07:29 UTC
I removed the pending GLSA: This vulnerability only affects ARM architecture which isn't an architecture with security coverage in Gentoo (see https://www.gentoo.org/support/security/vulnerability-treatment-policy.html).

Repository is clean, all done.