Ask / Submit

Do we get a fix for glibc security issues?

asked 2016-02-17 14:14:15 +0200

lpr gravatar image

updated 2017-07-31 20:30:39 +0200


As hackers are working on real exploits this is very urgent. SFOS seems¹ to use ASLR (which prevents the most simple exploits), but what occurrence does it use: the weak form of kernel 2.6.12 or Position-independent executable (PIE) which is stronger but weak in low memory conditions :-( ? ASLR is not perfect: Here is an interesting article about ASLR on ARMv7 devices [Stagefright is not fixed btw and could harm a JollaPhone].
Possible workarounds without patching are not suitable!

• ( CVE-2015-7547 (the one and only glibc related issue fix released in final Taalojärvi))
• (CVE-2015-8777 fix released in Haapajoki)
• (CVE-2015-8776: fix released in Haapajoki)
• (CVE-2015-8778: fix released in Haapajoki)
• CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (Accessvector:NETWORK/REMOTE CVSS v3 Base Score:9.8/10 critical)
• (CVE-2015-8779: fix released in Haapajoki)
• (CVE-2015-1781: fix released in Haapajoki)
• (CVE-2014-8121: fix released in Haapajoki)

(from SUSE:SLE-12-SP1 patch of glibc 2.19 from 20160217)

• Do not copy d_name field of struct dirent. (CVE-2016-1234) (Fix released in Jämsänjoki)
• Do not use alloca in clntudp_call. (CVE-2016-4429) (Fix released in Jämsänjoki)
(from SUSE:SLE-12-SP1 patch of glibc 2.19 from 20160711)

• (CVE-2015-5277: fix released in Haapajoki)
• (CVE-2016-3075 fix released in Haapajoki)
• (CVE-2016-2856: fix released in Haapajoki)

These vulnerabilities (but not cve-2014-9761) are fixed in glibc-2.19-0ubuntu6.9 and -0ubuntu6.13, version -0ubuntu6.8 with debian/patches/any/CVE-2014-9761-2.diff provides inconvenient fix adding an additional symbol to symbol-table (requires manual restart of server services after patching)

¹cat /proc/sys/kernel/randomize_va_space returns 2 and repeated ldd <some-executable> is returning different addresses of linked libraries.

edit retag flag offensive close delete



Thank you, great post. Just wanted to open it ;) .... second :-D

megalith ( 2016-02-17 15:56:14 +0200 )edit

+1 and more characters

jollailija ( 2016-02-17 17:35:41 +0200 )edit

its glibc, they will have to rebuild/test the world. I would expect that they will push back the Taalojarvi release for it though.

r0kk3rz ( 2016-02-17 17:51:00 +0200 )edit

@r0kk3rz no, they haven't to rebuild a lot. It affects glibc alone with its system functions, notably getaddrinfo() and strftime() used by almost all other applications

lpr ( 2016-02-17 18:36:15 +0200 )edit

Why is Jolla not able to patch on day zero?

lpr ( 2016-02-18 19:03:01 +0200 )edit

2 Answers

Sort by » oldest newest most voted

answered 2016-03-30 17:53:54 +0200

schmittlauch gravatar image

updated 2016-03-31 23:35:45 +0200

I added this issue to the topics for community meetings, maybe it'll be discussed on Thurs Mar-31 2016 @ 14:30 UTC in #mer-meeting (IRC) so if you're interested please show up there.

Edit: The relevant part of the meeting:

  • So 2.0.1 releasing is pending on the incoming call silence issue. (veskuh, 15:23:12)
  • the plan has been to release the hotfixes along with 2.0.1, but if that is still too far we should reconsider doing it as a separate hotfix as is now the proposal (veskuh, 15:24:23)
  • Jolla don't have definition of what makes issue critical, but we do have process for hotfix releases (stephg, 15:31:38)

So let's expect that hotfix.

edit flag offensive delete publish link more



This is probably the best answer the community can provide, but doesn't answer to the question even with an ETA. Anyway, thanks to @veskuh and btw, you're welcome to answer on TJC too ;)

reviewjolla ( 2016-03-31 23:52:15 +0200 )edit

answered 2016-04-24 16:02:49 +0200

lpr gravatar image

updated 2017-07-31 20:39:23 +0200

It seems we will not see a single package update for glibc in Taalojärvi and Saimaa.
Jolla claims to have solved the issues with version 2.0.1 so there will be a new early access release of Taalojärvi.
I suppose Saimaa users have to keep waiting until final release...
edit 20160428: fixes cve-2015-7547, 12 remaining...
edit 20170515: cve-2016-1234 and cve-2016-4429 fixed in glibc-2.19ubuntu6.11 so please implement it as soon as possible...

edit 20170629: glibc-2.19-0ubuntu6.13 additionally handles CVE-2017-1000366 (Stack Clash) so this should be implemented asap... (MER#1789)
edit 20170731: glibc-2.19-0ubutu6.13 part of Jämsänjoki update, leaving only cve-2014-9761 and cve-2015-5180 ...

edit flag offensive delete publish link more



Yes, is rolling out today to early access and includes glibc update.

veskuh ( 2016-04-28 15:00:46 +0200 )edit

@veskuh@xfade quick update to glibc-2.19+6.8 is needed! [not glibc-2.19+6.9 because 6.9 unfixes cve-2014-9761]

lpr ( 2016-06-25 15:54:13 +0200 )edit

new release without an update? come on guys, really? @veskuh@xfade@tigeli

lpr ( 2016-07-28 16:25:05 +0200 )edit

@veskuh@xfade@tigeli please revert debian/patches/any/CVE-2014-9761-2.diff in SFOS-source (as mer-project refuses this request due to servers) and release it in final Fiskarsinjoki. Phones have different needs than servers...

lpr ( 2016-10-18 18:58:56 +0200 )edit
Login/Signup to Answer

Question tools



Asked: 2016-02-17 14:14:15 +0200

Seen: 9,152 times

Last updated: Jul 31