Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 622226 (CVE-2017-1000376) - <dev-libs/libffi-3.2: arbitrary code execution by overwriting the stack (CVE-2017-1000376)
Summary: <dev-libs/libffi-3.2: arbitrary code execution by overwriting the stack (CVE-...
Status: RESOLVED INVALID
Alias: CVE-2017-1000376
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-19 15:23 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-19 14:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-06-19 15:23:38 UTC
CVE-2017-1000376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000376):
  libffi requests an executable stack allowing attackers to more easily
  trigger arbitrary code execution by overwriting the stack. Please note that
  libffi is used by a number of other libraries. This affects libffi version
  3.2.1.
Comment 1 Matthias Maier gentoo-dev 2017-06-21 21:52:01 UTC
commit 6acaa7787fa53d19b19c0f193b24969a5641a315 (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 21 16:42:23 2017 -0500

    dev-libs/libffi: drop old versions, bug #622226
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 2 Alexander Tsoy 2017-06-21 22:22:01 UTC
Do we need a patch for arm64?
https://src.fedoraproject.org/cgit/rpms/libffi.git/tree/libffi-3.1-aarch64-fix-exec-stack.patch
Comment 3 Teika kazura 2017-09-06 23:33:32 UTC
According to nvd, last modified 2017-06-28 [1]:

It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376

Regards.
Comment 4 D'juan McDonald (domhnall) 2017-10-31 22:40:47 UTC
@security, will this require a GLSA request/release?

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 5 Andreas K. Hüttel gentoo-dev 2017-12-09 22:52:34 UTC
(In reply to Teika kazura from comment #3)
> According to nvd, last modified 2017-06-28 [1]:
> 
> It was previously stated that this affects libffi version 3.2.1 but this
> appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems
> was vulnerable, and upstream is believed to have fixed this issue in version
> 3.1.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376
> 
> Regards.

Nothing to do for toolchain here anymore.
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-01-19 13:59:35 UTC
(In reply to Teika kazura from comment #3)
> According to nvd, last modified 2017-06-28 [1]:
> 
> It was previously stated that this affects libffi version 3.2.1 but this
> appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems
> was vulnerable, and upstream is believed to have fixed this issue in version
> 3.1.
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2017-1000376
No, we are looking for commit https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d. And this commit appeared for the first time in libffi-3.2 release. Otherwise, Qualys would have failed to use this flaw in Debian 8 because Debian 8 was already at version 3.1.
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-01-19 14:06:32 UTC
Closing this bug as invalid because Gentoo was not affected: Gentoo was already at unaffected >=libffi-3.2.1 version via bug 580616 when this vulnerability got reported.